On 12/06/2010 15:09, sean darcy wrote: > I decided to include the following in each sip.conf stanza that has an > outgoing context: > > deny=0.0.0.0/0.0.0.0 > permit=10.10.10.0/24 > If all your phones are on a defined network like that, you really should use iptables to allow inbound SIP from the 10-network and from the ip addresses of your provider(s) only. > Blacklisting won't work - see Whack-a-mole. > Well, in you case you need to think the other way (whitelisting), and that work pretty nice > Does the deny/permit do the trick? > It should, as long as the asterisk auth is working fine. But i would strongly urge you to add an iptables (or any other FW) layer on top of it, better safe than sorry.
Example: *filter :INPUT DROP [0:0] :SIP - [0:0] :IAX - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i bond0 -p icmp -m icmp --icmp-type any -j ACCEPT # ssh -A INPUT -i bond0 -s .... -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i bond0 -p udp -m udp --dport 5060 -j SIP -A INPUT -i bond0 -p udp -m udp --dport 4569 -j IAX -A SIP --src 10.10.10.0/24 -j ACCEPT -A SIP --src ip.provider.1 -j ACCEPT -A SIP --src ip.provider.2 -j ACCEPT ... -A IAX --src 10.10.10.0/24 -j ACCEPT COMMIT -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
