I'm getting ready to set up some phones that will have dynamic IP addresses. I've read about Travelin' Man but am a bit lazy and don't want to pay for and set up FQDNs at dyndns. Isn't it possible to use MAC addresses to whitelist in IPtables? Is there any reason this wouldn't work or would not be advised?
FYI Use IPtables and MAC address instead of Travelin Man?
- Thread starter dhelsten
- Start date
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 20,217
- Reaction score
- 5,974
As best I recall, MAC addresses aren't routable over the Internet.
If you have an obscure FQDN for your server, you could use something like this in IPtables to permit remote access. Of course, if someone guesses your FQDN, all bets are off.
If you have an obscure FQDN for your server, you could use something like this in IPtables to permit remote access. Of course, if someone guesses your FQDN, all bets are off.
Code:
-A INPUT -p udp --dport 5060 -m string --string "REGISTER sip:mysecretfqdn.somebody.com" --algo bm -j ACCEPT
-A INPUT -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060 -j ACCEPTI had a sysadmin tell me he could open and close ports on his sonicwall router on a MAC address basis and I see this article about using MACs with iptables http://tecadmin.net/mac-address-filtering-using-iptables/ It has me intrigued. Perhaps the issue is just that most hardware firewalls don't support it?
I'm going to test out the suggestion in the link above and I'll report if if works.
I'm going to test out the suggestion in the link above and I'll report if if works.
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 20,217
- Reaction score
- 5,974
briankelly63
Guru
- Joined
- Nov 14, 2008
- Messages
- 1,396
- Reaction score
- 320
mac addr is link-layer, is for local Lan and won't go past router. Routing in general makes that information unavailable through normal means.
I've often thought of the same kind of thing ie: why not have a giant password instead of having to do a challenge system or VPN. The answer is that by the time you implemented that on the client, server and then did the address translations you'll want to do on the router you might as well just do the VPN. Client phones like the Yealink and others have built in OpenVPN. On the firewall you have lots of options, I use Pfsense with OpenVPN.
I've often thought of the same kind of thing ie: why not have a giant password instead of having to do a challenge system or VPN. The answer is that by the time you implemented that on the client, server and then did the address translations you'll want to do on the router you might as well just do the VPN. Client phones like the Yealink and others have built in OpenVPN. On the firewall you have lots of options, I use Pfsense with OpenVPN.
briankelly63
Guru
- Joined
- Nov 14, 2008
- Messages
- 1,396
- Reaction score
- 320
What I would like to see is a change in Asterisk that would allow you to limit the functionality of port 5060 (or an alternate) in terms of what commands the port would respond to when queried. If that could be constrained you'd probably be able to expose that port. If the communication was not from the LAN you could place all sorts of limitations on both the queries and the calls that could be placed by the non-LAN device.
You could also set up a separate outward facing server that has significant limitations.
You could also set up a separate outward facing server that has significant limitations.
Get 3CX - Absolutely Free!
Link up your team and customers 
Phone System Live Chat Video Conferencing
Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.
Verify your Email
Check your inbox!
We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).
Upon verification you will be directed to the 3CX setup wizard.