I had an asterisk server on GCP (Google Cloud Compute), but I needed to move everything to Oracle Cloud because I was sick and tired of Google charging me when it should be on free tier (I even used iptables to block egress to China and Australia). That aside, I don’t understand why I am forced to open all (ingress) UDP ports in Oracle Cloud in order to receive calls from sip2sip. To clarify, my asterisk setup is that when it picks up, it either says to call back, or it places the caller in musiconhold and plays an mp3 from a livestream of a church service (depending on the day/time). There are some people who are travelling and want to listen in, others don’t have high speed internet, and others are just… old… and don’t understand the internet.
Here is my setup (sensitive info redacted):
In pjsip.conf:
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0
local_net=10.0.0.89/32 ; change to appropriate internal IP CIDR
external_media_address=111.222.333.444 ; change to public IP or call will hang up after 30 seconds
external_signaling_address=111.222.333.444 ; change to public IP or call will hang up after 30 seconds
[siptrunk-aor]
type=aor
contact=sip:sbc.anveo.com
contact=sip:sip2sip.info
qualify_frequency=100
[siptrunk]
type=endpoint
transport=transport-udp
context=from-siptrunk
disallow=all
allow=ulaw
aors=siptrunk-aor
send_diversion=yes ; Send the Diversion header conveying the diversion
; information to the called user agent (default: "yes")
send_pai=yes ; Send the P Asserted Identity header (default: "no")
send_rpid=yes
trust_id_inbound=yes ; Accept identification information received from this
; endpoint (default: "no")
direct_media=no
rtp_symmetric=yes
force_rport=yes
rewrite_contact=yes ; necessary if endpoint does not know/register public ip:port
[siptrunk-identify]
type=identify
match=sbc.anveo.com
match=67.212.84.21
match=176.9.39.206
match=169.48.232.158
match=72.9.149.25
match=85.17.186.10
match=81.23.228.137
match=81.23.228.129
match=85.17.186.23
match=proxy.sipthor.net
match=sip2sip.info
endpoint=siptrunk
[siptrunk-auth]
type=auth
auth_type=userpass
username=myusername
password=mypassword
[siptrunk-registration]
type=registration
transport=transport-udp
outbound_auth=siptrunk-auth
server_uri=sip:sip2sip.info
client_uri=sip:myusername@sip2sip.info
contact_user=19871234567
retry_interval=60
In extensions.conf:
[from-siptrunk]
exten => 19871234567,1,Verbose(1,Playing livestream.)
same => n,Answer
same => n,ExecIfTime(20:01-23:59,sun,,?Playback(silence/1&please-try-call-later&silence/1))
same => n,ExecIfTime(0:00-23:59,mon-sat,,?Playback(silence/1&please-try-call-later&silence/1))
same => n,ExecIfTime(0:00-10:24,sun,,?Playback(silence/1&please-try-call-later&silence/1))
same => n,ExecIfTime(10:25-12:30,sun,,?MusicOnHold(ulawstream))
same => n,ExecIfTime(12:31-13:54,sun,,?Playback(silence/1&please-try-call-later&silence/1))
same => n,ExecIfTime(13:55-15:34,sun,,?MusicOnHold(ulawstream))
same => n,ExecIfTime(15:34-17:54,sun,,?Playback(silence/1&please-try-call-later&silence/1))
same => n,ExecIfTime(17:55-20:00,sun,,?MusicOnHold(ulawstream))
same => n,Hangup()
If I call the Anveo DID (19871234567), it always works fine. But I want sip2sip to work for testing purposes because when I call the Anveo DID, it costs me money. sip2sip is free and I call from a softphone app on my smartphone.
I also have fail2ban running (3 strikes, you’re out), and iptables for security, following this tutorial to secure things. I’ve also disabled ipv6. In my /etc/iptables/rules.v4 file:
*raw
:PREROUTING ACCEPT [214:42793]
:OUTPUT ACCEPT [300:104239]
:BADSIP - [0:0]
:NEWSIP - [0:0]
:TCPSIP - [0:0]
:UDPSIP - [0:0]
-A PREROUTING -i eth+ -m recent --update --name MYSIP --mask 255.255.255.255 --rsource -j ACCEPT
-A PREROUTING -i eth+ -p tcp -m tcp --dport 5060:5082 -m string --string "sip:my.server.com" --algo bm --to 65535 --icase -j NEWSIP
-A PREROUTING -i eth+ -p udp -m udp --dport 5060:5082 -m string --string "sip:my.server.com" --algo bm --to 1500 --icase -j NEWSIP
-A PREROUTING -i eth+ -m recent --update --name BADSIP --mask 255.255.255.255 --rsource -j DROP
-A PREROUTING -i eth+ -p tcp -m tcp --dport 5060:5082 -j TCPSIP
-A PREROUTING -i eth+ -p udp -m udp --dport 5060:5082 -j UDPSIP
-A BADSIP -m recent --set --name BADSIP --mask 255.255.255.255 --rsource -j DROP
-A NEWSIP -m recent --set --name MYSIP --mask 255.255.255.255 --rsource -j ACCEPT
-A TCPSIP -m string --string "sundayddr" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "sipsak" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "sipvicious" --algo bm --to 65535 --icase -j BADSIP
-A TCPSIP -m string --string "friendly-scanner" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "iWar" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "sip-scan" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "sipcli" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "eyeBeam" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "VaxSIPUserAgent" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "sip:nm@nm" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "sip:carol@chicago.com" --algo bm --to 65535 -j BADSIP
-A TCPSIP -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name SIP_R --mask 255.255.255.255 --rsource
-A TCPSIP -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 10 --hitcount 20 --rttl --name SIP_R --mask 255.255.255.255 --rsource -j DROP
-A TCPSIP -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name SIP_I --mask 255.255.255.255 --rsource
-A TCPSIP -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 5 --hitcount 20 --rttl --name SIP_I --mask 255.255.255.255 --rsource -j DROP
-A UDPSIP -m string --string "sundayddr" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sipsak" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sipvicious" --algo bm --to 1500 --icase -j BADSIP
-A UDPSIP -m string --string "friendly-scanner" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "iWar" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sip-scan" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sipcli" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "eyeBeam" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "VaxSIPUserAgent" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sip:nm@nm" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sip:carol@chicago.com" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "REGISTER sip:" --algo bm --to 1500 -m recent --set --name SIP_R --mask 255.255.255.255 --rsource
-A UDPSIP -m string --string "REGISTER sip:" --algo bm --to 1500 -m recent --update --seconds 10 --hitcount 20 --rttl --name SIP_R --mask 255.255.255.255 --rsource -j DROP
-A UDPSIP -m string --string "INVITE sip:" --algo bm --to 1500 -m recent --set --name SIP_I --mask 255.255.255.255 --rsource
-A UDPSIP -m string --string "INVITE sip:" --algo bm --to 1500 -m recent --update --seconds 5 --hitcount 20 --rttl --name SIP_I --mask 255.255.255.255 --rsource -j DROP
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [300:104239]
:ASIP - [0:0]
:DPTS - [0:0]
:ICMPALL - [0:0]
:IPSPF - [0:0]
:RLMSET - [0:0]
-A INPUT -p tcp -m tcp --dport 5060:5082 -m conntrack --ctstate RELATED,ESTABLISHED -m recent ! --rcheck --name MYSIP --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m recent --update --seconds 600 --hitcount 1 --name RLM --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -j ICMPALL
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i eth+ -j IPSPF
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j ASIP
-A INPUT -j DPTS
-A INPUT -m limit --limit 10/min -j LOG
-A INPUT -j DROP
-A ASIP -p tcp -m tcp --dport 5060:5082 -j ACCEPT
-A ASIP -p udp -m udp --dport 5060:5082 -m recent --update --name MYSIP --mask 255.255.255.255 --rsource -j ACCEPT
-A ASIP -p udp -m udp --dport 5060:5082 -j DROP
-A ASIP -p udp -m udp --dport 10000:20000 -j ACCEPT
-A ASIP -j RETURN
-A DPTS -p tcp -m tcp --dport 21 -j DROP
-A DPTS -p tcp -m tcp --dport 22 -j ACCEPT
-A DPTS -p tcp -m tcp --dport 23 -j RLMSET
-A DPTS -p tcp -m tcp --dport 25 -j RLMSET
-A DPTS -p tcp -m tcp --dport 80 -j DROP
-A DPTS -p tcp -m tcp --dport 443 -j DROP
-A DPTS -p tcp -m tcp --dport 1433 -j RLMSET
-A DPTS -p tcp -m tcp --dport 3128 -j RLMSET
-A DPTS -p tcp -m tcp --dport 3306 -j RLMSET
-A DPTS -p tcp -m tcp --dport 3389 -j RLMSET
-A DPTS -p tcp -m tcp --dport 4899 -j RLMSET
-A DPTS -p tcp -m tcp --dport 5900 -j RLMSET
-A DPTS -j RETURN
-A ICMPALL -p icmp -f -j DROP
-A ICMPALL -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ICMPALL -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ICMPALL -p icmp -j DROP
-A IPSPF -s 172.16.0.0/12 -j DROP
-A IPSPF -s 192.168.0.0/16 -j DROP
-A IPSPF -s 0.0.0.0/8 -j DROP
-A IPSPF -s 100.64.0.0/10 -j DROP
-A IPSPF -s 127.0.0.0/8 -j DROP
-A IPSPF -s 169.254.0.0/16 -j DROP
-A IPSPF -s 192.0.0.0/24 -j DROP
-A IPSPF -s 192.0.2.0/24 -j DROP
-A IPSPF -s 198.18.0.0/15 -j DROP
-A IPSPF -s 198.51.100.0/24 -j DROP
-A IPSPF -s 203.0.113.0/24 -j DROP
-A IPSPF -s 224.0.0.0/4 -j DROP
-A IPSPF -s 240.0.0.0/4 -j DROP
-A IPSPF -s 255.255.255.255/32 -j DROP
-A IPSPF -d 0.0.0.0/8 -j DROP
-A IPSPF -d 127.0.0.0/8 -j DROP
-A IPSPF -d 224.0.0.0/4 -j DROP
-A IPSPF -d 255.255.255.255/32 -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A IPSPF -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A IPSPF -p udp -m length --length 0:28 -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m recent --update --seconds 1 --hitcount 11 --name INSYN --mask 255.255.255.255 --rsource -j DROP
-A IPSPF -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m recent --set --name INSYN --mask 255.255.255.255 --rsource -j RETURN
-A IPSPF -j RETURN
-A RLMSET -m recent --set --name RLM --mask 255.255.255.255 --rsource -j DROP
COMMIT
I am at a loss as to why I would need to open all UDP ports in the Oracle Security settings (I created its own security group since I have other instances), which are found in Networking > Virtual cloud networks > vcn-12345 > Network Security Group Details. If I even change it from 1-65535 UDP with CIDR 0.0.0.0/0 to 2-65535, I can’t get through when calling the sip2sip address. Nothing shows in the asterisk console (even with debugging on). If I check with tcpdump, sudo tcpdump -i enp0s3 -n -s 0 -vvv -A port 5060, it shows the correct invite. None of this makes sense to me.
Is my iptables at least sufficient to properly harden my asterisk server? Is opening ports 1-65535 UDP safe in combination with the iptables and fail2ban? Can anyone guess as to what is happening?