On Friday 02 Jul 2010, Tim Nelson wrote: > ----- "A J Stiles" <[email protected]> wrote: > > On Friday 02 Jul 2010, Ira wrote: > > > At 11:14 PM 7/1/2010, you wrote: > > > >Same activity from these IPs: > > > >174.129.137.135 > > > > > > Given that my Asterisk box is used for nothing but Asterisk and I > > > know the small number of IPs that need to have access is there an > > > easy way to use iptables to block everything but those 6 IPs and > > > provider addresses? > > > > Yes, dead easy! Just configure iptables to accept IAX traffic (TCP > > and UDP > > port 4569) only from trusted IP addresses, and drop it from anywhere > > else. > > [ stuff omitted ] > > IAX is UDP only, not TCP. Also, what if he's using SIP (UDP/5060) for > connectivity to the outside world? He'll need rules for this, in addition > to RTP media (typically UDP/10000-20000)...
OK, so you might not need the lines with -p tcp in them; I was just being efficient (i.e., cribbing from an old config file that has worked for me since forever). All the setups on which I've worked have used SIP on the inside, and IAX on the outside. That way, you don't need so many ports open -- and you avoid the 'mare that is funnelling telephony through NAT. (See also FTP and fax.) If you need other ports open, the same general principles apply. Read the iptables man page, look at other people's firewall scripts; and most importantly of all, make sure you have a keyboard and monitor plugged into the machine; because one day, you *will* accidentally block port 22 from 0.0.0.0/0. -- AJS -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
