[Asterisk-Security] Asterisk security --Firewall setting

johnny johnny_xing at banshing.com
Mon Nov 6 18:55:47 MST 2006


Hi, everybody.

Currently I incurred some problems with asterisk security. Initially I did
not set any firewall for my server and unluckily it has been hacked by some
one. And I modified my iptables as below, and currently I have two Ethernet
cards, eth0 for net access, and eth1 for internal LAN network. I only want
to block the ports for the eth0 and allow anything for eht1. but the current
setting will block any other ports for both eth0 and eth1. any body know how
to set it? Or instead of it, anybody know how to set a professional firewall
for Asterisk server?

Thanks in advance.

============================================================================

*filter

:INPUT ACCEPT [60713:10783188]

# SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well

#sometimes SIP is on port 5061 or 5062

-A INPUT -p udp -m udp --dport 5060 -j ACCEPT

#IAX2 the IAX protocol

-A INPUT -p udp -m udp --dport 4569 -j ACCEPT

# IAX

-A INPUT -p udp -m udp --dport 5036 -j ACCEPT

# RTP : the media stream

-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

# SSH? : Secure shell sessions, open at port 22

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# httpd open at port 80.

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

# stop all other ports.

-A INPUT -j DROP

 

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [53370:9153725]

-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth1 -o eth0 -j ACCEPT

-A FORWARD -j LOG

 

COMMIT

# Completed on Thu Nov  2 17:16:22 2006

# Generated by iptables-save v1.2.11 on Thu Nov  2 17:16:22 2006

*nat

:PREROUTING ACCEPT [1469:101523]

:POSTROUTING ACCEPT [284:18747]

:OUTPUT ACCEPT [290:19275]

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Thu Nov  2 17:16:22 2006

==================================================================

 

Best Regards

 

Johnny    Xing Haipeng

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-security/attachments/20061106/c9376cc6/attachment.htm


More information about the Asterisk-Security mailing list