Hi,
I have run and test joe's iptables script + SunshineNetworks Knock + Firewall Whitelist for SIP by wardmundy + Fail2ban on a debian base asterisk system and it's working perfectly as I wish.
My iptables file looks like:
# Generated by iptables-save v1.4.8 on Wed Dec 1 20:50:11 2010
*nat
REROUTING ACCEPT [2:154]
OSTROUTING ACCEPT [99:6919]
:OUTPUT ACCEPT [99:6919]
COMMIT
# Completed on Wed Dec 1 20:50:11 2010
# Generated by iptables-save v1.4.8 on Wed Dec 1 20:50:11 2010
*mangle
REROUTING ACCEPT [2061:325088]
:INPUT ACCEPT [2061:325088]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1930:508313]
OSTROUTING ACCEPT [1934:509267]
COMMIT
# Completed on Wed Dec 1 20:50:11 2010
# Generated by iptables-save v1.4.8 on Wed Dec 1 20:50:11 2010
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:door - [0:0]
#-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 --name DEFAULT --rsource -j DROP
#-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
# Filter 1- Whitelist for SIP & IAX (my voip service provider & google voice)
-A INPUT -s 64.27.1.153/32 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -s 66.54.140.46/32 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -s 66.54.140.47/32 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -s 64.154.41.100/32 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m multiport --dports 22,80,139,443,445,4445,5038,9001,9022,9080,10000 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000,32852,50000:50100 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000,32852,50000:50100 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p udp -m multiport --dports 53,69,123,137:138,1514,4520,4569,5060,10000:20000,32852,50000:50100 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -i eth0 -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# Filter 2- SunshineNetworks Knock
-A INPUT -p udp -m udp --dport 5060 -m recent --rcheck --seconds 4000 --name portisnowopen --rsource -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j door
-A INPUT -p udp -m udp --dport 5060 -j DROP
-A door -p udp -m udp --dport 5060 -m string --string "mysecretpassphrase" --algo bm --to 65535 -m recent --set --name portisnowopen --rsource
COMMIT
# Completed on Wed Dec 1 20:50:11 2010
Here is my simple Asterisk Security safety net flowchart:
Firewall_Portmapping(4569, 5060) -> Firewall_Whitelist(Filter 1) -> SunshineNetworks_Knock(Filter 2) -> Fail2ban(Filter 3) -> Asterisk_Server
Correct me if there is anything wrong.