[asterisk-users] iptables example

Scott Wolfe scottwolfe at orbus.net
Wed Nov 29 02:35:10 MST 2006


I use BFD  on several of my servers. Works great. http://www.rfxnetworks.com/bfd.php 
  ----- Original Message ----- 
  From: Jeronimo Romero 
  To: Asterisk Users Mailing List - Non-Commercial Discussion 
  Sent: Tuesday, November 28, 2006 11:54 PM
  Subject: [asterisk-users] iptables example


  Hey everyone.  I recenty installed a server at a datacenter offsite and the thing is getting hammered with invalid ssh logins so I decided to use some iptables. 

  I included my ruleset here. I was wondering if I could get some feedback based on my ruleset from those of you using iptables in production systems.  It seems to be working but some critique would be appreciated.  Thanks

   

   

  #!/bin/sh

  # My system IP/set ip address of server

  SERVER_IP="x.x.x.x"

  # Flushing all rules

  iptables -F

  iptables -X

  # Setting default filter policy

  iptables -P INPUT DROP

  iptables -P OUTPUT DROP

  iptables -P FORWARD DROP

   

   

  # Allow unlimited traffic on loopback

  iptables -A INPUT -i lo -j ACCEPT

  iptables -A OUTPUT -o lo -j ACCEPT

   

  # Allow incoming ssh only from secure hosts

  iptables -A INPUT -p tcp -s x.x.x.x -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

  iptables -A INPUT -p tcp -s x.x.x.x  -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

   

  #Allow http & Asterisk Related Traffic

  iptables -A INPUT -p tcp -i eth0 --dport 80 -m state --state NEW -j ACCEPT

  # SIP on UDP 

  iptables -A INPUT -p udp -m udp --dport 5004:5082 -j ACCEPT

  # IAX2- 

  iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

  # IAX - 

  iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

  # RTP - the media stream

  iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

   

  iptables -A INPUT -j DROP

  iptables -A OUTPUT -j ACCEPT



------------------------------------------------------------------------------


  _______________________________________________
  --Bandwidth and Colocation provided by Easynews.com --

  asterisk-users mailing list
  To UNSUBSCRIBE or update options visit:
     http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20061129/18826e9a/attachment.htm


More information about the asterisk-users mailing list