On 06/12/2010 10:57 AM, Benoit wrote: > On 12/06/2010 15:09, sean darcy wrote: >> I decided to include the following in each sip.conf stanza that has an >> outgoing context: >> >> deny=0.0.0.0/0.0.0.0 >> permit=10.10.10.0/24 >> > If all your phones are on a defined network like that, you really should > use iptables to allow > inbound SIP from the 10-network and from the ip addresses of your > provider(s) only. >> Blacklisting won't work - see Whack-a-mole. >> > Well, in you case you need to think the other way (whitelisting), and > that work pretty nice >> Does the deny/permit do the trick? >> > It should, as long as the asterisk auth is working fine. But i would > strongly urge you to add an iptables (or any other FW) > layer on top of it, better safe than sorry. > > Example: > > *filter > :INPUT DROP [0:0] > :SIP - [0:0] > :IAX - [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -i bond0 -p icmp -m icmp --icmp-type any -j ACCEPT > # ssh > -A INPUT -i bond0 -s .... -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -i bond0 -p udp -m udp --dport 5060 -j SIP > -A INPUT -i bond0 -p udp -m udp --dport 4569 -j IAX > -A SIP --src 10.10.10.0/24 -j ACCEPT > -A SIP --src ip.provider.1 -j ACCEPT > -A SIP --src ip.provider.2 -j ACCEPT > ... > -A IAX --src 10.10.10.0/24 -j ACCEPT > COMMIT >
The trouble with whitelisting, or using iptables to block 5060 (in fact * is behind a router - 5060 is port forwarded) is that traveling employees wouldn't be able to register with inbound extensions. We set up our travelers so they can connect from wherever, and be treated as if they were at a local extension. That is, the employee can dial 151, or be dialed at his extension. He can not however dial third parties, or at least isn't supposed to. sean -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
