Iptables do not block Asterisk's-registration to sip-provider

Hello everybody,

I use the following iptables-settings, but the firewall doesn’t prevent the registration of my Asterisk-Server to my provider sipcall.ch. Everthing is working. I can do calls out and can receive calls from outside. Does somebody know why my firewall doesn’t block the connection to the sip-provider?

*filter
:OUTPUT ACCEPT
:INPUT DROP
:FORWARD ACCEPT

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT

-A INPUT -s 10.8.0.0/24 -j ACCEPT

-A INPUT -m limit --limit 8/min -j LOG --log-prefix "iptables denied: " --log-level 7

COMMIT

Thx for your help!

I’m not an iptables guy, but where is your drop for that host?

I only see your accepts.

What exactly do you mean with block connection to your provider, usually you dont want to block connection with a trusted server

That is true. I want to secure my asteriskserver with a firewall and to be sure, that only connections come through I have allowed.

In iptables I have just accepted connections from my local-network and my vpn-network:
-A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A INPUT -s 10.8.0.0/24 -j ACCEPT

The general-rule
“:INPUT DROP”
should drop all the other connections, here all other IP’s outside my local- and vpn-network. So the extern IP or url of my sip-provider should be blocked in this configuration.

In my opinion it should be necesarry to have the follow entries in iptables to be able to connect to an extern sip-provider:
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

But in my case it works without it… strange

That it is not an Asterisk related issue it is OS and networking issue, there are many iptables toturials on the NET

1 Like

if you want to block connection to your-sip-provider
I assume that you want block outgoing connection from your server.

then the rule should be in OUTPUT chain.

ex::
iptables -I OUTPUT -d your-sip-provider -j DROP

1 Like

To block everything except some.ip

myfile.rules

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s some.ip -j ACCEPT -m comment --comment “name”
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

cat myfile.rules | /sbin/iptables-restore

Why u do not use fail2ban?
Here is the rule for asterisk:

# Fail2Ban filter for asterisk authentication failures
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = asterisk

__pid_re = (?:\[\d+\])

# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?

failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'from-gsm'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

ignoreregex =


# Author: Xavier Devlamynck / Daniel Black
#
# General log format - main/logger.c:ast_log
# Address format - ast_sockaddr_stringify
#
# First regex: channels/chan_sip.c
#
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog 

U need to put in:

/etc/fail2ban/filter.d/asterisk.conf

I tested and it working really nicely!