#!/bin/bash IPTABLES='/sbin/iptables' #Set interface values INTIF1='eth0'
# Set Limits LIMIT="2/sec" LOGLIMIT="5/min" LIMITBURST="5" #flush rules and delete chains $IPTABLES -F $IPTABLES -X #echo -e " - Dropping Forward Requests" $IPTABLES -P FORWARD DROP #echo -e " - Dropping Input Requests" $IPTABLES -P INPUT DROP #echo -e " - Dropping output requests" $IPTABLES -P OUTPUT DROP #echo -e " - Accepting input lo traffic" $IPTABLES -A INPUT -i lo -j ACCEPT #echo -e " - Accepting output lo traffic" $IPTABLES -A OUTPUT -o lo -j ACCEPT #echo -e " - Defined Chains" $IPTABLES -N ICMP $IPTABLES -N TCP $IPTABLES -N UDP $IPTABLES -N LOGINPUT $IPTABLES -N LOGOUTPUT #echo -e " - Accepting incoming SIP Traffic" $IPTABLES -A UDP -p udp -m udp -s <local /24> --sport 5060 -d <asterisk server> --dport 5060 -j ACCEPT $IPTABLES -A UDP -p udp -m udp -s <time warner ip> --sport 5060 -d <asterisk server> --dport 5060 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -s 0.0.0.0/0 --sport 5060 -d <asterisk server> --dport 5060 -j DROP #echo -e " - Accepting outgoing SIP Traffic" $IPTABLES -A UDP -p udp -m udp -s <asterisk server> --sport 5060 -d <local /24> --dport 5060 -j ACCEPT $IPTABLES -A UDP -p udp -m udp -s <asterisk server> --sport 5060 -d <time warner sip server>--dport 5060 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -s <asterisk server> --sport 5060 -d 0.0.0.0/00 --dport 5060 -j DROP RTP Traffic *may* or *may* not come from the same server as the SIP messages. It also *may* or *may not* come from the server provider's net mask or an underline either way, until you have determined this: #echo -e " - Accepting incomming RTP Traffic" $IPTABLES -A UDP -p udp -m udp --dport 8000:65000 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -d <asterisk server> --dport 8000:65000 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -s <local /24> -d <asterisk server> --dport 8000:65000 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -s <time warner> -d <asterisk server> --dport 8000:65000 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -s 0.0.0.0/0 -d <asterisk server> --dport 8000:65000 -j DROP #echo -e " - Accepting outgoing RTP Traffic" $IPTABLES -A UDP -p udp -m udp --sport 8000:65000 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -s <asterisk server> --sport 8000:65000 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -s <asterisk server> -d <local /24> --dport 8000:65000 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -s <asterisk server> -d <time warner> --dport 8000:65000 -j ACCEPT # $IPTABLES -A UDP -p udp -m udp -s <asterisk server> -d 0.0.0.0/0 --dport 8000:65000 -j DROP #echo -e " - Accepting input ICMP, TCP, and UDP traffic to open ports" $IPTABLES -A INPUT -i $INTIF1 -p icmp -j ICMP $IPTABLES -A INPUT -i $INTIF1 -p tcp -j TCP $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP #echo -e " - Accepting output ICMP, TCP, and UDP traffic to open ports" $IPTABLES -A OUTPUT -o $INTIF1 -p icmp -j ICMP $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j TCP $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP #echo -e " - Logging Dropped Input Traffic" $IPTABLES -A LOGINPUT -i $INTIF1 -p icmp -m limit --limit $LOGLIMIT --limit-burst $LIMITBURST -j LOG --log-prefix "ICMP LOGINPUTDROP: " --log-tcp-options --log-i$ $IPTABLES -A LOGINPUT -i $INTIF1 -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit $LOGLIMIT --limit-burst $LIMITBURST -j LOG --log-prefix "TCP LOGINPUTDRO$ $IPTABLES -A LOGINPUT -i $INTIF1 -p udp -m limit --limit $LOGLIMIT --limit-burst $LIMITBURST -j LOG --log-prefix "UDP LOGINPUTDROP: " --log-tcp-options --log-ip-$ $IPTABLES -A LOGINPUT -i $INTIF1 -f -m limit --limit $LOGLIMIT --limit-burst $LIMITBURST -j LOG --log-prefix "FRAGMENT LOGINPUTDROP: " --log-tcp-options --log-ip$ $IPTABLES -A LOGINPUT -j DROP $IPTABLES -A INPUT -p icmp -i $INTIF1 -j LOGINPUT $IPTABLES -A INPUT -p tcp -i $INTIF1 -j LOGINPUT $IPTABLES -A INPUT -p udp -i $INTIF1 -j LOGINPUT #echo -e " - Logging Dropped Output Traffic" $IPTABLES -A LOGOUTPUT -o $INTIF1 -p icmp -m limit --limit $LOGLIMIT --limit-burst $LIMITBURST -j LOG --log-prefix "ICMP LOGOUTPUTDROP: " --log-tcp-options --log$ $IPTABLES -A LOGOUTPUT -o $INTIF1 -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit $LOGLIMIT --limit-burst $LIMITBURST -j LOG --log-prefix "TCP LOGOUTPUTD$ $IPTABLES -A LOGOUTPUT -o $INTIF1 -p udp -m limit --limit $LOGLIMIT --limit-burst $LIMITBURST -j LOG --log-prefix "UDP LOGOUTPUTDROP: " --log-tcp-options --log-i$ $IPTABLES -A LOGOUTPUT -o $INTIF1 -f -m limit --limit $LOGLIMIT --limit-burst $LIMITBURST -j LOG --log-prefix "FRAGMENT LOGOUTPUTDROP: " --log-tcp-options --log-$ $IPTABLES -A LOGOUTPUT -j DROP $IPTABLES -A OUTPUT -p icmp -o $INTIF1 -j LOGOUTPUT $IPTABLES -A OUTPUT -p tcp -o $INTIF1 -j LOGOUTPUT $IPTABLES -A OUTPUT -p udp -o $INTIF1 -j LOGOUTPUT #echo -e " - Rejecting input TCP and UDP traffic to closed ports" $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e " - Rejecting output TCP and UDP traffic to closed ports" $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e " - Rejecting input traffic to remaining protocols sent to closed ports" $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e " - Rejecting output traffic to remaining protocols sent to closed ports" $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e " - Rejecting output traffic to remaining protocols sent to closed ports" $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Thank you come again, Nick from Toronto -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
