[Asterisk-Security] Asterisk security --Firewall setting

Mon, 06 Nov 2006 17:59:03 -0800

Hi, everybody.

Currently I incurred some problems with asterisk security. Initially I did not set any firewall for my server and unluckily it has been hacked by some one. And I modified my iptables as below, and currently I have two Ethernet cards, eth0 for net access, and eth1 for internal LAN network. I only want to block the ports for the eth0 and allow anything for eht1. but the current setting will block any other ports for both eth0 and eth1. any body know how to set it? Or instead of it, anybody know how to set a professional firewall for Asterisk server?

Thanks in advance.

============================================================================

*filter

:INPUT ACCEPT [60713:10783188]

# SIP on UDP port 5060. Other SIP servers may need TCP port 5060 as well

#sometimes SIP is on port 5061 or 5062

-A INPUT -p udp -m udp --dport 5060 -j ACCEPT

#IAX2 the IAX protocol

-A INPUT -p udp -m udp --dport 4569 -j ACCEPT

# IAX

-A INPUT -p udp -m udp --dport 5036 -j ACCEPT

# RTP : the media stream

-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

# SSH? : Secure shell sessions, open at port 22

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# httpd open at port 80.

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

# stop all other ports.

-A INPUT -j DROP

 

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [53370:9153725]

-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i eth1 -o eth0 -j ACCEPT

-A FORWARD -j LOG

 

COMMIT

# Completed on Thu Nov  2 17:16:22 2006

# Generated by iptables-save v1.2.11 on Thu Nov  2 17:16:22 2006

*nat

:PREROUTING ACCEPT [1469:101523]

:POSTROUTING ACCEPT [284:18747]

:OUTPUT ACCEPT [290:19275]

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Thu Nov  2 17:16:22 2006

==================================================================

 

Best Regards

 

Johnny    Xing Haipeng

 

_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

Asterisk-Security mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-security

Reply via email to