I think that you need add some changes in the RULE sentence or add some other,
iptables -I INPUT -p TCP -s 87.230.90.5 --dport 5060 -j REJECT ( yes need the
-j)
former needs the -j in any rules this tell iptables modules to which target
JUMP when the condition was matched or satisfied.
on this rule you are telling to iptables that all the packets coming from
this source ip, and having TCP protocol pointed to destinatio port
must jump to ----------> other module or action .. inthis case REJECT or DROP
or to a custom CHAIN ( i.e. BADGUYS ) where you specifiy new rules to "treat"
to the badguys"
said this, some suggestions follows....
1) change "-A INPUT" for "-I INPUT" so the rule will be inserted at the top
, avoiding travel trough other rules with not any sense :-) , must hurry to
block the enemy!!!!
2) change -p tcp ( must be in lower case) for -p all ( if your version
support it, or insert two rules one for "udp" other for "tcp" if you PBX
accept registration on tcp conn,, or just don't put anything in the protcol
parameter , iptables -I INPUT -s 87.230.90.5 -j REJECT it must block any
packet from this source don't care protocl or port,) check you conf for sip. to
know if you acceppt registration on TCP , former asterisk version (1.4 or lower
DON'T )
3) change REJECT ( this create outgoing trafiic replying "rejected" ) by
DROP ( just left the packet on the floor :-) )
4) add -i ethX if you have more than one Ethertnet o network adapter , ( means
on which device to apply the filter ) more efective , less charge to SPI the
packet
5) if you have one router/Bridge ( brX inteface on linux box for QoS, br is
made with two or more interfaces "bridged" at layer 2 ) and / or your have
enable forwarding between two interfaces, some rule also must be applied to
FORWARD chain , or the OUTPUT chain inthe interface that connect to youur PBX
regarding the source ip addres -s 87.230.90.5 to avoid outgoing traffic from
this source to your PBX , beacuse INPUT ONLY APPLIES TO THOSE PACKET THAT GO
INTO THE BOX , NOT FOR passtrough o forward... be carefull with that
once you have write the filter can check if it working using "iptables -L -vn"
this shows up the packets that match in the rules
example follow
log]# iptables -L -vn
prints something like this
Chain INPUT (policy ACCEPT 16M packets, 1614M bytes)
pkts bytes target prot opt in out source destination
1 144 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0
udp dpts:1712:1720
0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
tcp dpts:1712:1720
20 824 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:3306
252 13772 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:22
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 17M packets, 1958M bytes)
pkts bytes target prot opt in out source destination
note here i block h323 ports , ssh and MySQL from any source
from any in interface eth1, and like can see bttom there a listiong for the
other CHAINS
i hope that i was helpfull for you .
i appologize for extesion :-) , but if it could help .
Marcos
_________________________________________________________________
Ahora Hotmail es un 70% más rápido. Para que chequear correos sea cada vez más
fácil. Ver más
http://www.descubrehotmail.com/velocidad.asp --
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
