NEW Safely Deploy Asterisk on Internet

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
We've reworked the IPtables setup in the PUBLIC implementation for Incredible PBX 13-13.10 to match the current Incredible PBX 16-15 setup which is much more secure. At least in our dozen honeypots, we haven't seen a single access attempt on either the 16-15 or 13-13.10 builds. Four new 13-13.10-PUBLIC servers were successfully brought on line at C@C with the new build this morning. As always, YMMV.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Here's what the new /etc/sysconfig/iptables should look like substituting your SSH port for zzzz and your server's IP address for both xxx.xxx.xxx.xxx entries and whitelisting your desktop IP address for yyy.yyy.yyy.yyy at the bottom of the config file. Leave /usr/local/sbin/iptables-custom as installed by previous running of PUBLIC script. Then iptables-restart. Then verify it's working: iptables -nL.

Code:
# Generated by iptables-save v1.4.7 on Thu Oct 26 08:42:00 2017
*nat
:PREROUTING ACCEPT [7:608]
:POSTROUTING ACCEPT [36:2319]
:OUTPUT ACCEPT [36:2319]
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.4.7 on Fri Mar  2 10:36:08 2012
*mangle
:PREROUTING ACCEPT [1103:1400664]
:INPUT ACCEPT [1102:1400632]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [656:59330]
:POSTROUTING ACCEPT [656:59330]
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
-A PREROUTING -p icmp -j DROP
-A PREROUTING -f -j DROP
-A PREROUTING -s 224.0.0.0/3 -j DROP
-A PREROUTING -s 169.254.0.0/16 -j DROP
-A PREROUTING -s 172.16.0.0/12 -j DROP
-A PREROUTING -s 192.0.2.0/24 -j DROP
-A PREROUTING -s 192.168.0.0/16 -j DROP
-A PREROUTING -s 240.0.0.0/5 -j DROP
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport zzzz -j ACCEPT
# Here's the Incredible PBX list of SIP Trusted Providers
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -m set --match-set cn src  -j DROP
-A INPUT -m set --match-set ru src  -j DROP
-A INPUT -m set --match-set ps src  -j DROP
-A INPUT -m set --match-set kp src  -j DROP
-A INPUT -m set --match-set ua src  -j DROP
-A INPUT -m set --match-set md src  -j DROP
-A INPUT -m set --match-set nl src  -j DROP
-A INPUT -m set --match-set fr src  -j DROP
-A INPUT -m set --match-set voipbl src -j DROP
# revised as detailed in subsequent postings
-A INPUT -p udp -m udp --dport 3000:5037 -j ACCEPT
-A INPUT -p udp -m udp --dport 5091:65535 -j ACCEPT
#-A INPUT -p udp -m udp --dport 3000:65535 -j ACCEPT
-A INPUT -m string --algo bm --string "xxx.xxx.xxx.xxx" -j DROP
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT
# these have been moved to /usr/local/sbin/iptables-custom
# End of Trusted Provider Section
# Kitchen Sink entries below give full access to all server ports
# next 3 entries are replaced with your server, user, and public IP addresses
# this is a snapshot of where you were when you installed Incredible PBX
# It assures that you can log back in from there once we lock down IPtables
# NO RESTRICTIONS are placed on these 3 addresses or private LAN subnets!
# The IP addresses are your server, user, and public addresses respectively
-A INPUT -s xxx.xxx.xxx.xxx -j ACCEPT
-A INPUT -s yyy.yyy.yyy.yyy -j ACCEPT
# your own additions go above here
COMMIT
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
@wardmundy - curious about the rules:
Code:
-A INPUT -p udp -m udp --dport 3000:65535 -j ACCEPT
-A INPUT -m string --algo bm --string \"$MYIP\" -j DROP
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT"
What is the purpose of the "-dport 3000:65535" rule? It pretty much negates the following two udp rules. Why that range?
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
@jerrm: You're right. Probably need two original rules for 3000:5037 and 5091:65535 since some SIP phones make SIP URI calls on ports other than 5060-5061 so you lose audio. We also wanna block incoming attacks on 5038 especially. These holes get plugged by Asterisk, but it would be better to block them with IPtables. Thanks.
 
Last edited:

Members online

Forum statistics

Threads
25,782
Messages
167,513
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top