Iptables firewall?

xenithar · August 31, 2015, 2:53pm

My server is on the Internet and I want to protect it more thoroughly than it currently is. However, the firewall rules I wrote are not working. What is wrong here? I would also like to block addresses which keep trying to connect (brute-force?) to prevent abuse of the system.

#!/bin/bash

# Configure IPv4 firewalling
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -m multiport --dports ssh,5060,10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 5060,10000:20000 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# Configure IPv6 firewalling
ip6tables -F
ip6tables -X
ip6tables -Z
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT

xenithar · August 31, 2015, 6:12pm

I believe I figured it out. I accidentally left out port 5061. After adding that, my firewall worked. I have added two extra chains to handle repeated connection attempts. Here is what I am successfully running right now. All seems good, but I will monitor it for a week or two. What do the Asterisk pros think? Can I improve this in some way?

~# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N BLACKLIST
-N SIP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,5060,5061,10000:20000 -j SIP
-A INPUT -p udp -m state --state NEW -m multiport --dports 5060,5061,10000:20000 -j SIP
-A INPUT -i lo -j ACCEPT
-A BLACKLIST -m recent --set --name BLACKLIST --rsource
-A BLACKLIST -j DROP
-A SIP -m recent --update --seconds 600 --hitcount 1 --name BLACKLIST --rsource -j DROP
-A SIP -m recent --set --name strike1 --rsource
-A SIP -m recent --set --name strike2 --rsource
-A SIP -m recent --set --name strike3 --rsource
-A SIP -m recent --update --seconds 20 --hitcount 5 --name strike1 --rsource -j BLACKLIST
-A SIP -m recent --update --seconds 40 --hitcount 10 --name strike2 --rsource -j BLACKLIST
-A SIP -m recent --update --seconds 80 --hitcount 20 --name strike3 --rsource -j BLACKLIST
-A SIP -j ACCEPT

Thanks for your input in advance.

xenithar · September 4, 2015, 2:58pm

I would really like some advice here. I believe I am being attacked based on my logs, but am not sure what to do. Since SIP is incompatible with NAT, we put the thing on the Internet using a public IP, but now we’re getting this crap.

~# cat /var/log/asterisk/messages | tail -n 80
[Sep  4 10:35:28] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '034248222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:36:00] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission c2195af8cb1d5e5cbfa5d1011a783b17 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:36:09] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '034348222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:36:41] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission d32d0ed1c6fda64b33f0b20b138824a8 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:36:50] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5071) to extension '034448222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:37:22] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 8d6ed9e7578003897fc8ea17392f329e for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:37:31] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '034548222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:38:03] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission e48f412c57e2016cb4631f35f769b4c2 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:38:11] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '034648222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:38:43] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 260f77f1dead872f449481b444bd948f for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:38:51] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5071) to extension '034748222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:39:23] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 309ecb915fe10e62f915c387d8899f9d for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:39:34] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5071) to extension '034848222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:40:06] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission b808b2c7e1d6762277cc9e9213fc6521 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:40:14] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5074) to extension '034948222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:40:46] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission a2808b9bf820741f3f220a6e308b5541 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:40:55] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5071) to extension '035048222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:41:23] NOTICE[18335] Ext. s:  Incoming call from "Unavailable" <8663730095>
[Sep  4 10:41:27] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 51b8c7b8f7e144b6375612cc46802f68 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32001ms with no response
[Sep  4 10:41:36] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '035148222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:41:52] WARNING[18335] file.c: File are-you-still-there does not exist in any format
[Sep  4 10:41:52] WARNING[18335] file.c: Unable to open are-you-still-there (format 0x4 (ulaw)): No such file or directory
[Sep  4 10:41:52] WARNING[18335] app_playback.c: ast_streamfile failed on SIP/line1-0000004d for are-you-still-there
[Sep  4 10:42:08] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission e1b0cbcb9c2bbae1bbf07caa3c63ba6d for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:42:16] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5076) to extension '035248222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:42:21] WARNING[18335] file.c: File are-you-still-there does not exist in any format
[Sep  4 10:42:21] WARNING[18335] file.c: Unable to open are-you-still-there (format 0x4 (ulaw)): No such file or directory
[Sep  4 10:42:21] WARNING[18335] app_playback.c: ast_streamfile failed on SIP/line1-0000004d for are-you-still-there
[Sep  4 10:42:48] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission c6aa8f698e27c58c7def2145866ce829 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:42:57] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5071) to extension '035348222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:43:29] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 8d9637a459af6ba7b0c4fe6f14a912a9 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
[Sep  4 10:43:38] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '035448222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:44:10] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 0b7280b493bfbcc3368c7d116ef981f6 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
[Sep  4 10:44:18] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '035548222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:44:50] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission f128f55fd1117ee65e399812b35b64ae for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:44:59] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '035648222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:45:31] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 1cd72c83822803ccce79ee31db7485ae for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:45:39] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5074) to extension '035748222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:46:11] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission e817a8bbc59ee749ff954c83eba41b12 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:46:20] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5073) to extension '035848222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:46:52] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 02224d441e2d6464e45058eb4b85c1c3 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:47:01] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '035948222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:47:33] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 0660185f514757ba09bbd94b8499732c for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
[Sep  4 10:47:42] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '036048222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:48:14] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 14bf1a13060082de7d3f31fae83871fb for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:48:23] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5080) to extension '036148222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:48:55] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 371479c8c8fbaa681a6e6b5118c1bec7 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:49:03] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5071) to extension '036248222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:49:35] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 70a8dbfc6052a462d5a4ea4faa0109a1 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:49:44] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5070) to extension '036348222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:50:16] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 46b78592000e8755be6237ab2d5abbf3 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32001ms with no response
[Sep  4 10:50:24] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5074) to extension '036448222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:50:56] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 2dd8863272af688e8cae878bef3e18a4 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[Sep  4 10:51:04] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5071) to extension '036548222084974' rejected because extension not found in context 'incoming'.
[Sep  4 10:51:36] WARNING[30023] chan_sip.c: Retransmission timeout reached on transmission 2d6adda7bb46ccc9916ba17a7da15cdb for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32001ms with no response
[Sep  4 10:51:45] NOTICE[30023] chan_sip.c: Call from '' (192.151.159.122:5074) to extension '036648222084974' rejected because extension not found in context 'incoming'.

We have several clients, including myself, who roam and our address changes frequently, so only allowing one address won’t work. My next guess is to only allow traffic from my office address and then somehow filter by MAC address for the rest, but this will become cumbersome as equipment changes and people come and go. How do the big companies handle this?

david55 · September 4, 2015, 3:06pm

Only accept port 5060 from your ITSP. If that is not possible and you cannot limit to a small number of networks actually used by your employees, at least block the typical rogue countries.

Use fail2ban to rate limit the attacks.

Follow the best security practice guidelines document for Asterisk.