QUESTION Can I set IPTABLES to only allow connections from specific extension numbers?

[rchalk]

I am trying to set up a system with open access for portable devices, regardless of their IP Address, but still maintain some degree of security. I have set a rule to allow UDP connections only on a specific port, but I would also like to restrict the connections to devices which have a specific format in the extension number. I would use something like 123456XXXX, so the system would be looking for any device with 123456 as the beginning of the extension number, and the XXXX could be any additional 4 digits.

I am not very well versed with iptables, and would appreciate any help.

Thanks,
Richard

 

[jerrm]

iptables -A INPUT ! -s 192.168.0.0/24 -p udp  --dport 5060:5061  -m  string ! --string "sip:123456"  --algo bm --to 1500 -j DROP

Edit ports and local net netmask as appropriate.

This would drop any SIP packets that don't match the extension prefix coming from outside the LAN.

Works best on udp as it can be placed after the related/established rule. Not as good for tcp as is would need to be before the related/established rule. String matching is expensive so you want to minimize how many packets have to be looked at.

Not valid at all if using TLS.