Iptables do not block Asterisk's-registration to sip-provider


#1

Hello everybody,

I use the following iptables-settings, but the firewall doesn’t prevent the registration of my Asterisk-Server to my provider sipcall.ch. Everthing is working. I can do calls out and can receive calls from outside. Does somebody know why my firewall doesn’t block the connection to the sip-provider?

*filter
:OUTPUT ACCEPT
:INPUT DROP
:FORWARD ACCEPT

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT

-A INPUT -s 10.8.0.0/24 -j ACCEPT

-A INPUT -m limit --limit 8/min -j LOG --log-prefix "iptables denied: " --log-level 7

COMMIT

Thx for your help!


#2

I’m not an iptables guy, but where is your drop for that host?

I only see your accepts.


#3

What exactly do you mean with block connection to your provider, usually you dont want to block connection with a trusted server


#4

That is true. I want to secure my asteriskserver with a firewall and to be sure, that only connections come through I have allowed.

In iptables I have just accepted connections from my local-network and my vpn-network:
-A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A INPUT -s 10.8.0.0/24 -j ACCEPT

The general-rule
“:INPUT DROP”
should drop all the other connections, here all other IP’s outside my local- and vpn-network. So the extern IP or url of my sip-provider should be blocked in this configuration.

In my opinion it should be necesarry to have the follow entries in iptables to be able to connect to an extern sip-provider:
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

But in my case it works without it… strange


#5

That it is not an Asterisk related issue it is OS and networking issue, there are many iptables toturials on the NET


#6

if you want to block connection to your-sip-provider
I assume that you want block outgoing connection from your server.

then the rule should be in OUTPUT chain.

ex::
iptables -I OUTPUT -d your-sip-provider -j DROP


#7

To block everything except some.ip

myfile.rules

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s some.ip -j ACCEPT -m comment --comment “name”
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

cat myfile.rules | /sbin/iptables-restore


#8

Why u do not use fail2ban?
Here is the rule for asterisk:

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'from-gsm'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog 

U need to put in:

/etc/fail2ban/filter.d/asterisk.conf

I tested and it working really nicely!