Asterisk firewall rules

Business PBX Solutions
Provider Solution Details
3CX Software PBX for Windows
  • Windows Software Solution
  • Easy to Install and Manage
  • Auto Configures Phones & Trunks
  • Android, iOS, Windows & Mac clients
Details
Bicom VoIP Become an ITSP Now!
  • Become a serious competitor in VoIP Immediately
  • FULL Consultancy, Installation, Training & Support
  • Sell Hosted IP PBXs, Biz Lines, Call Centre
  • Turnkey Provisioning at your data center
Details
Contact Center 4PSA's VoipNow Cloud Communications Platform
  • Enjoy your custom licensing plan - Pay-As-You-Grow!
  • Your fastest go-to-market solution - from deployment to billing.
  • Professional support, training and knowledge base to help you grow your business
  • On your infrastructure or cloud-based, it's up to you.
Details

Sample Asterisk Firewall Rules

IPTables

This is an example on how to configure a Linux IPTables firewall for Asterisk:



 # SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well
 iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT

 # IAX2- the IAX protocol
 iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT

 # IAX - most have switched to IAX v2, or ought to
 iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT

 # RTP - the media stream
 # (related to the port range in /etc/asterisk/rtp.conf) 
 iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
 

 # MGCP - if you use media gateway control protocol in your configuration
 iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT



More security:
Block access for account scanners like 'User-Agent: friendly-scanner'
When you under attack switch on the sip debug and look for the User-Agent, you may
update the firewall rules and add more of the evil agents.
NOTICE: The rules must inserted into the chain at the front to make them work
properly.
(If you want to merge the rules into you ruleset make sure they are chained before
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT )

Jan 2014, my pbx got hacked again, the analyse shows that the Gaza Gang (ipv4 37.8.x.x) run
a distributed scan and was able to hack a 8 character pass phrase like 'ueeNCPVS'. My recommendation
update your passwords to more than 10 chars and make sure you mix some numbers and '%.!@...'
A good tool is 'mkpasswd' which spits out very solid passwords.
Lucky for me, recharge limit/day cut the the line and "only" loose 30USD.

So watch out! Or your cdr-csv shows you calls to Montenegro,Tonga and Nauru with around 0.5-1$/min



 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP 
 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j REJECT --reject-with icmp-port-unreachable 
 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m recent --set --name VOIP --rsource 
 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIP --rsource -j DROP 
 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm -m recent --set --name VOIPINV --rsource 
 iptables -I INPUT -p udp -m udp --dport 5060 -m string --string "INVITE sip:" --algo bm -m recent --update --seconds 60 --hitcount 12 --rttl --name VOIPINV --rsource -j DROP 
 iptables -I INPUT -p udp -m hashlimit --hashlimit 6/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -m udp --dport 5060 -j ACCEPT 
 iptables -I INPUT -p udp -m udp --dport 5060 -j DROP 

Tested on Debian/Linux Kernel 2.6.32-5-686 and v3+


PF (Packet Filter)

This is an example on how to configure a OpenBSD/FreeBSD 5 PF firewall for Asterisk:

pf.conf

  1. Your inet interface
ext = rl0

  1. SIP (TCP)
voip_tcp = "5060"
  1. SIP, IAX2, IAX, RTP, MGCP (UDP)
voip_udp = "{5060, 4569, 5036, 9999 >< 20001, 2727}"

pf pass in on $ext inet proto tcp from any to any port $voip_tcp flags S/SA keep state
pf pass out on $ext inet proto tcp all flags S/SA keep state
pf pass in on $ext inet proto udp from any to any port $voip_udp keep state
pf pass out on $ext proto udp all keep state


pf.conf on gateway router/asterisk box with QoS

        1. macros ####
ext_if="xl0" # 172.16.0.2
int_if="xl1" # 10.0.0.1
lan_net = "10.0.0.0/24"
table <blocked> persist
table <routed> persist
    1. machines
ext_ip = "172.16.0.2"
siphost = "172.16.0.3"
voip = "10.0.0.4"
        1. options ####
set skip on lo0
set optimization conservative
set block-policy drop
set loginterface $ext_if
scrub in all
        1. QoS stuff #######
altq on $ext_if priq bandwidth 520Kb queue { q_pri, q_def, q_bulk, q_crap }
queue q_pri priority 7
queue q_def priority 5 priq(default)
queue q_bulk priority 1
queue q_crap priority 0
          1. NAT ####
nat on $ext_if from <routed> -> $ext_ip

          1. rules ####
block drop out quick on $ext_if proto { udp, icmp, tcp } from any to <blocked>
block drop in quick on $ext_if proto { udp, icmp, tcp } from <blocked> to any
block drop in on $ext_if from any to any
pass in on $ext_if from $lan_net to any

    1. basic
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in on $int_if proto icmp all keep state

    1. asterisk
pass in from any to $siphost
pass in quick proto udp from any to any port 4569 \
keep state queue (q_pri)
pass out quick proto udp from any to any port 4569 \
keep state queue (q_pri)

    1. default
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
keep state queue (q_def, q_pri)


IPFW

This is an example on how to configure a FreeBSD IPFW firewall for Asterisk:

rc.firewall

  1. Firewall comand
fwcmd="/sbin/ipfw -q"

  1. Interface setup
  2. Outside interface
oip="<your external ip address>"

  1. * pbx ip
pbxip="<your * internal ip>"

  1. VoIP Traffic - SIP & IAX
${fwcmd} add pass tcp from ${oip} to ${pbxip} 5060 keep-state in
${fwcmd} add pass tcp from ${pbxip} to any 5060 keep-state out
${fwcmd} add pass udp from ${oip} to ${pbxip} 5060 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 4569 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 2727 keep-state in
${fwcmd} add pass udp from ${oip} to ${pbxip} 9999-20001 keep-state in
${fwcmd} add pass udp from ${pbxip} to any keep-state out



rc.conf

  1. Your NAT & Firewall section should have this line
natd_flags="-redirect_address <your * internal ip> <your external ip address>"


ISA Server

To configure an ISA Server firewall for Windows, to permit Asterisk (win32 version) to run on the same box as the ISA Server:

SIPPF.VBS

Follow these steps:
  • Download the SPIPF.VBS script from www.generationd.com
  • Copy to any directory on the ISA Server.
  • Edit the file with any text editor - if you want to modify the log file parameters, etc.
  • Run the script by double clicking it
  • Wait and relax while the ports are opened. Be warned - it can take a while!



See also



Created by: oej, Last modification: Thu 30 of Jan, 2014 (03:24 UTC) by ruehlchr


Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+

Page Changes | Comments