[asterisk-users] Firewall Issue
RSCL Mumbai
rscl.mumbai at gmail.com
Sat Aug 6 01:35:09 CDT 2011
Hi,
I seem to be facing an intrusion issue, inspite of firewall (script attached).
What am I missing ??
Any suggestions / recommendation are welcome pls.
Best regards,
Sans
-------------- next part --------------
#!/bin/bash
echo 0 > /proc/sys/net/ipv4/ip_forward
# Clear any existing firewall stuff before we start
/sbin/iptables --flush
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy FORWARD DROP
/sbin/iptables --policy OUTPUT ACCEPT
# Allow all incoming traffic if it is coming from the local loopback device
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow returning packets
/sbin/iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow incoming traffic on port 8000 for web server & 2200 for SSh
/sbin/iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 2200 -j ACCEPT
#############################################################################
###################### RESTRICTED SIP ACCESS ################################
#############################################################################
# LAN
/sbin/iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 --dport 5060:5062 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 5060:5062 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 --dport 10000:20000 -j ACCEPT
# Allow traffic from VoIP Service Provider
/sbin/iptables -A INPUT -p udp -i eth1 -s 11.11.11.11 --dport 5060:5062 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 -s 11.11.11.11 --dport 5060:5062 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth1 -s 11.11.11.11 --dport 10000:20000 -j ACCEPT
# Check new packets are SYN packets for syn-flood protection
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop fragmented packets
/sbin/iptables -A INPUT -f -j DROP
# Drop malformed XMAS packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop null packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Log and drop any packets that are not allowed. You will probably want to turn off the logging
#/sbin/iptables -A INPUT -j LOG --log-level 4
/sbin/iptables -A INPUT -j REJECT
More information about the asterisk-users
mailing list