[Asterisk-Security] Asterisk security --Firewall setting

Greg Hill gregh-asterisk at hillnet.us
Mon Nov 6 21:32:24 MST 2006


Well... This list is actually intended to discuss security of Asterisk, 
not firewalling in general.. But read up on iptables, and the -i option in 
particular.  Then modify the rules on your "INPUT" chain.

Greg


On Tue, 7 Nov 2006, johnny wrote:

> Hi, everybody.
>
> Currently I incurred some problems with asterisk security. Initially I did
> not set any firewall for my server and unluckily it has been hacked by some
> one. And I modified my iptables as below, and currently I have two Ethernet
> cards, eth0 for net access, and eth1 for internal LAN network. I only want
> to block the ports for the eth0 and allow anything for eht1. but the current
> setting will block any other ports for both eth0 and eth1. any body know how
> to set it? Or instead of it, anybody know how to set a professional firewall
> for Asterisk server?
>
> Thanks in advance.
>
> ============================================================================
>
> *filter
>
> :INPUT ACCEPT [60713:10783188]
>
> # SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
>
> #sometimes SIP is on port 5061 or 5062
>
> -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
>
> #IAX2 the IAX protocol
>
> -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
>
> # IAX
>
> -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
>
> # RTP : the media stream
>
> -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
>
> # SSH? : Secure shell sessions, open at port 22
>
> -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
>
> # httpd open at port 80.
>
> -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>
> # stop all other ports.
>
> -A INPUT -j DROP
>
>
>
> :FORWARD DROP [0:0]
>
> :OUTPUT ACCEPT [53370:9153725]
>
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> -A FORWARD -i eth1 -o eth0 -j ACCEPT
>
> -A FORWARD -j LOG
>
>
>
> COMMIT
>
> # Completed on Thu Nov  2 17:16:22 2006
>
> # Generated by iptables-save v1.2.11 on Thu Nov  2 17:16:22 2006
>
> *nat
>
> :PREROUTING ACCEPT [1469:101523]
>
> :POSTROUTING ACCEPT [284:18747]
>
> :OUTPUT ACCEPT [290:19275]
>
> -A POSTROUTING -o eth0 -j MASQUERADE
>
> COMMIT
>
> # Completed on Thu Nov  2 17:16:22 2006
>
> ==================================================================
>
>
>
> Best Regards
>
>
>
> Johnny    Xing Haipeng
>
>
>
>


More information about the Asterisk-Security mailing list