SIP Server IPTABLES Sample firewall Rules !
SIP Server protection
IPtables rules
iptables -I INPUT -p udp -m udp –dport 5060 -m string –string "REGISTER sip:" –algo bm -m recent –set –name VOIP –rsource iptables -I INPUT -p udp -m udp –dport 5060 -m string –string "REGISTER sip:" –algo bm -m recent –update –seconds 60 –hitcount 12 –rttl –name VOIP –rsource -j DROP iptables -I INPUT -p udp -m udp –dport 5060 -m string –string "INVITE sip:" –algo bm -m recent –set –name VOIPINV –rsource iptables -I INPUT -p udp -m udp –dport 5060 -m string –string "INVITE sip:" –algo bm -m recent –update –seconds 60 –hitcount 12 –rttl –name VOIPINV –rsource -j DROP iptables -I INPUT -p udp -m hashlimit –hashlimit 6/sec –hashlimit-mode srcip,dstport –hashlimit-name tunnel_limit -m udp –dport 5060 -j ACCEPT iptables -I INPUT -p udp -m udp –dport 5060 -j DROP # RTP – the media stream # (related to the port range in /etc/asterisk/rtp.conf) iptables -A INPUT -p udp -m udp –dport 10000:20000 -j ACCEPT # MGCP – if you use media gateway control protocol in your configuration iptables -A INPUT -p udp -m udp –dport 2727 -j ACCEPT
Sample script
#!/bin/bash EXIF="eth0" # Clear any existing firewall stuff before we start /sbin/iptables –flush # As the default policies, drop all incoming traffic but allow all # outgoing traffic. This will allow us to make outgoing connections # from any port, but will only allow incoming connections on the ports # specified below. # Allow connections from my machines /sbin/iptables -A INPUT -p tcp -i $EXIF -m state –state NEW -s 109.161.251.214 -j ACCEPT /sbin/iptables –policy INPUT DROP /sbin/iptables –policy OUTPUT ACCEPT # Allow all incoming traffic if it is coming from the local loopback device /sbin/iptables -A INPUT -i lo -j ACCEPT # Accept all incoming traffic associated with an established connection, or a "related" connection /sbin/iptables -A INPUT -i $EXIF -m state –state ESTABLISHED,RELATED -j ACCEPT # Check new packets are SYN packets for syn-flood protection /sbin/iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP # Drop fragmented packets /sbin/iptables -A INPUT -f -j DROP # Drop malformed XMAS packets /sbin/iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP # Drop null packets /sbin/iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP # Allow connections to port (4501) – ssh. You can add other ports you need in here /sbin/iptables -A INPUT -p tcp -i $EXIF –dport 4501 -m state –state NEW -j ACCEPT # Allow connections to port (4500) – Webmin . You can add other ports you need in here /sbin/iptables -A INPUT -p tcp -i $EXIF –dport 4500 -m state –state NEW -j ACCEPT # Allow connections to port (80&443) – www. You can add other ports you need in here /sbin/iptables -A INPUT -p tcp -i $EXIF –dport 80 -m state –state NEW -j ACCEPT /sbin/iptables -A INPUT -p tcp -i $EXIF –dport 443 -m state –state NEW -j ACCEPT # Allow connections from my machines /sbin/iptables -A INPUT -p tcp -i $EXIF -m state –state NEW -s 80.241.212.93 -j ACCEPT # Allow SIP connections /sbin/iptables -A INPUT -p udp -i $EXIF –dport 5060 -m udp -j ACCEPT /sbin/iptables -A INPUT -p tcp -i $EXIF –dport 5060 -m tcp -j ACCEPT /sbin/iptables -A INPUT -p udp -i $EXIF –dport 10000:20000 -m udp -j ACCEPT # Allow icmp input so that people can ping us /sbin/iptables -A INPUT -p icmp –icmp-type 8 -m state –state NEW -j ACCEPT # Log then drop any packets that are not allowed. You will probably want to turn off the logging #/sbin/iptables -A INPUT -j LOG /sbin/iptables -A INPUT -j REJECT
Source: Ahmad Sabry ElGendi