Firewall Issue

Home » Asterisk Users » Firewall Issue
Asterisk Users 6 Comments

Hi,

I seem to be facing an intrusion issue, inspite of firewall (script attached).

What am I missing ??

Any suggestions / recommendation are welcome pls.

Best regards,
Sans

#!/bin/bash

echo 0 > /proc/sys/net/ipv4/ip_forward

# Clear any existing firewall stuff before we start
/sbin/iptables –flush

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
/sbin/iptables –policy INPUT DROP
/sbin/iptables –policy FORWARD DROP
/sbin/iptables –policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp –icmp-type 8 -m state –state NEW -j ACCEPT

# Allow returning packets
/sbin/iptables -A INPUT -i eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT

# Allow incoming traffic on port 8000 for web server & 2200 for SSh
/sbin/iptables -A INPUT -p tcp –dport 8000 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 2200 -j ACCEPT

#############################################################################
###################### RESTRICTED SIP ACCESS ################################
#############################################################################

# LAN
/sbin/iptables -A INPUT -p tcp -i eth0 -s 192.168.1.0/24 –dport 5060:5062 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 –dport 5060:5062 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 -s 192.168.1.0/24 –dport 10000:20000 -j ACCEPT

# Allow traffic from VoIP Service Provider
/sbin/iptables -A INPUT -p udp -i eth1 -s 11.11.11.11 –dport 5060:5062 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 -s 11.11.11.11 –dport 5060:5062 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth1 -s 11.11.11.11 –dport 10000:20000 -j ACCEPT

# Check new packets are SYN packets for syn-flood protection
/sbin/iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

# Drop fragmented packets
/sbin/iptables -A INPUT -f -j DROP

# Drop malformed XMAS packets
/sbin/iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

# Drop null packets
/sbin/iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

# Log and drop any packets that are not allowed. You will probably want to turn off the logging
#/sbin/iptables -A INPUT -j LOG –log-level 4
/sbin/iptables -A INPUT -j REJECT

6 thoughts on - Firewall Issue

  • Why did you decide so? And what kind of intrusion? Any dump of sniffer will
    be appreciated.

    2011/8/6 RSCL Mumbai

  • Hi,

    (1) Since a few days, I am seeing unexpected (unwanted) calls reaching my
    asterisk server.
    Please see attached log files.

    (2) I believe the source IP of these calls is the IP mentioned under the
    CHANNELS column.

    (3) But as per my firewall, these calls should not have reached Asterisk.
    The should have been dropped by the Firewall.

    Please suggest if my thinking is in the correct direction, and what should
    be my next step.

    Best regards,
    Sans

    +———————+——————————+———-+—–+————+—————————–+————+———+———-+———-+———+————-+———-+————-+—————–+———–+—————–+
    | calldate | clid | src | dst | dcontext | channel | dstchannel | lastapp | lastdata | duration | billsec | disposition | amaflags | accountcode | uniqueid | userfield | dnid |
    +———————+——————————+———-+—–+————+—————————–+————+———+———-+———-+———+————-+———-+————-+—————–+———–+—————–+
    | 2011-08-04 11:23:15 | “000441913561021” | asterisk | s | from-trunk | SIP/94.247.178.106-00000285 | | Hangup | | 19 | 19 | ANSWERED | 3 | | 1312471395.2207 | | 000441913561021 |
    +———————+——————————+———-+—–+————+—————————–+————+———+———-+———-+———+————-+———-+————-+—————–+———–+—————–+
    +———————+——————————+———-+—–+————+—————————-+————+———+———-+———-+———+————-+———-+————-+—————–+———–+—————–+
    | 2011-08-04 15:26:19 | “001441913561025”
    | asterisk | s | from-trunk | SIP/72.32.198.159-00000401 | | Hangup | | 18 | 18 | ANSWERED | 3 | | 1312485979.6667 | | 001441913561025 |
    +———————+——————————+———-+—–+————+—————————-+————+———+———-+———-+———+————-+———-+————-+—————–+———–+—————–+
    +———————+——————————+———-+—–+————+————————-+————+———+———-+———-+———+————-+———-+————-+—————–+———–+—————–+
    | 2011-08-04 17:51:12 | “002441913561017”
    | asterisk | s | from-trunk | SIP/50.28.9.55-000004b4 | | Hangup | | 19 | 18 | ANSWERED | 3 | | 1312494672.7195 | | 002441913561017 |
    +———————+——————————+———-+—–+————+————————-+————+———+———-+———-+———+————-+———-+————-+—————–+———–+—————–+
    +———————+—————————-+———-+—–+————+—————————–+————+———+———-+———-+———+————-+———-+————-+—————–+———–+—————+
    | 2011-08-04 16:20:20 | “2441913561035”
    | asterisk | s | from-trunk | SIP/75.125.193.162-00000446 | | Hangup | | 16 | 16 | ANSWERED | 3 | | 1312489220.6866 | | 2441913561035 |
    +———————+—————————-+———-+—–+————+—————————–+————+———+———-+———-+———+————-+———-+————-+—————–+———–+—————+

  • If you take a bit deep analyses on SIP packet you will be able to understand the issue,

    Iptables filter on layer-3 while SIP is on layer-7. It is easily possible to generate a SIP packet with different source-ip than physical interface.

    You can also simulate it if you set external-ip=some-else-ip in SIP.com in asterisk. All you SIP packets will contain new some-else-ip while layer-3 headers will still have actual physical interface IP.

    Sent: Monday, August 08, 2011 5:18 PM

    Also you can set allowguest=no in sip.conf, if you didn’t do it already

    I will check sip.conf, but logically, the packets should not be reaching Asterisk.
    IP Tables should have blocked them.

    Sans

  • 2011/8/8 Антон Квашёнкин

    [root@e1 ~]# lsmod | grep ipt
    ipt_REJECT 38977 1
    iptable_filter 36161 1
    iptable_nat 40773 0
    ip_nat 53101 1 iptable_nat
    ip_conntrack 91621 3 xt_state,iptable_nat,ip_nat
    ip_tables 55201 2 iptable_filter,iptable_nat
    x_tables 50505 5
    ipt_REJECT,xt_tcpudp,xt_state,iptable_nat,ip_tables