yboujraf/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Securing Asterisk VoIP Server with IPTables

This Gist contains my IPTables rules for securing the Asterisk VoIP server. The "string" module is used to identify legitimate users and block attackers.
Link to my detailed Asterisk security tutorial

Learn how to set up your personal VoIP server
↓  ↓  ↓ Scroll down for the IPTables rules ↓  ↓  ↓
License

Copyright (C) 2013 Lin Song 
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.


## iptables.rules
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ICMPALL - [0:0]
:IPSPF - [0:0]
:ASIP - [0:0]
:DPTS - [0:0]
:RLMSET - [0:0]
-A INPUT -p tcp --dport 5060:5082 -m conntrack --ctstate RELATED,ESTABLISHED -m recent ! --rcheck --name MYSIP -j DROP
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m recent --update --name RLM --seconds 600 --hitcount 1 -j DROP
-A INPUT -p icmp --icmp-type 255 -j ICMPALL
# Allow DHCP traffic
-A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
-A INPUT -i eth+ -j IPSPF
# Replace YOUR_SSH_PORT with your server's SSH port!
-A INPUT -p tcp --dport YOUR_SSH_PORT -j ACCEPT
-A INPUT -j ASIP
-A INPUT -j DPTS
-A INPUT -m limit --limit 10/min -j LOG
-A INPUT -j DROP
-A ICMPALL -p icmp --fragment -j DROP
-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
-A ICMPALL -p icmp -j DROP
# Drop packets FROM bogon IPv4 addresses
# Delete the line below if your server uses this range:
-A IPSPF -s 10.0.0.0/8 -j DROP
# Same as above
-A IPSPF -s 172.16.0.0/12 -j DROP
# Save as above
-A IPSPF -s 192.168.0.0/16 -j DROP
-A IPSPF -s 0.0.0.0/8 -j DROP
-A IPSPF -s 100.64.0.0/10 -j DROP
-A IPSPF -s 127.0.0.0/8 -j DROP
-A IPSPF -s 169.254.0.0/16 -j DROP
-A IPSPF -s 192.0.0.0/24 -j DROP
-A IPSPF -s 192.0.2.0/24 -j DROP
-A IPSPF -s 198.18.0.0/15 -j DROP
-A IPSPF -s 198.51.100.0/24 -j DROP
-A IPSPF -s 203.0.113.0/24 -j DROP
-A IPSPF -s 224.0.0.0/4 -j DROP
-A IPSPF -s 240.0.0.0/4 -j DROP
-A IPSPF -s 255.255.255.255 -j DROP
# Drop packets TO broadcast/multicast/loopback IPs
-A IPSPF -d 0.0.0.0/8 -j DROP
-A IPSPF -d 127.0.0.0/8 -j DROP
-A IPSPF -d 224.0.0.0/4 -j DROP
-A IPSPF -d 255.255.255.255 -j DROP
# These are some bad TCP flags used in attacks:
-A IPSPF -p tcp --tcp-flags ALL NONE -j DROP
-A IPSPF -p tcp --tcp-flags ALL ALL -j DROP
-A IPSPF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A IPSPF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A IPSPF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A IPSPF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A IPSPF -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
# Reject NEW TCP packets w/ ACK flag. Someone could be sending packets with your server's IP as his fake IP
-A IPSPF -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
# Drop NEW TCP packets w/o SYN flag
-A IPSPF -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
# Drop empty UDP packets (lengths 0 to 28)
-A IPSPF -p udp -m length --length 0:28 -j DROP
# Limit incoming NEW TCP connections to 10/sec for each IP (configurable)
-A IPSPF -p tcp --syn -m recent --update --name INSYN --seconds 1 --hitcount 11 -j DROP
-A IPSPF -p tcp --syn -m recent --set --name INSYN -j RETURN
-A IPSPF -j RETURN
# Change to ACCEPT if FTP server:
-A DPTS -p tcp --dport 21 -j DROP
# Remember to change your SSH port first!
# If you use port 22, change this to ACCEPT!
-A DPTS -p tcp --dport 22 -j RLMSET
-A DPTS -p tcp --dport 23 -j RLMSET
# Change to ACCEPT if MAIL server:
-A DPTS -p tcp --dport 25 -j RLMSET
# Note: Port 80 and/or 443 are needed to access the FreePBX GUI.
# For security, do NOT open them here. Use SSH port forwarding instead.
-A DPTS -p tcp --dport 80 -j DROP
-A DPTS -p tcp --dport 443 -j DROP
-A DPTS -p tcp --dport 1433 -j RLMSET
-A DPTS -p tcp --dport 3128 -j RLMSET
# Change to ACCEPT if Internet-facing MySQL server:
-A DPTS -p tcp --dport 3306 -j RLMSET
-A DPTS -p tcp --dport 3389 -j RLMSET
-A DPTS -p tcp --dport 4899 -j RLMSET
-A DPTS -p tcp --dport 5900 -j RLMSET
-A DPTS -j RETURN
-A RLMSET -m recent --set --name RLM -j DROP
-A ASIP -p tcp --dport 5060:5082 -j ACCEPT
-A ASIP -p udp --dport 5060:5082 -m recent --update --name MYSIP -j ACCEPT
-A ASIP -p udp --dport 5060:5082 -j DROP
-A ASIP -p udp --dport 10000:20000 -j ACCEPT
-A ASIP -j RETURN
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BADSIP - [0:0]
:TCPSIP - [0:0]
:UDPSIP - [0:0]
:NEWSIP - [0:0]
# IMPORTANT: Replace "YOUR_HOSTNAME.no-ip.com" with the dynamic IP hostname you have set up!
-A PREROUTING -i eth+ -m recent --update --name MYSIP -j ACCEPT
-A PREROUTING -i eth+ -p tcp --dport 5060:5082 -m string --string "sip:YOUR_HOSTNAME.no-ip.com" --algo bm --icase -j NEWSIP
-A PREROUTING -i eth+ -p udp --dport 5060:5082 -m string --string "sip:YOUR_HOSTNAME.no-ip.com" --algo bm --to 1500 --icase -j NEWSIP
-A PREROUTING -i eth+ -m recent --update --name BADSIP -j DROP
-A PREROUTING -i eth+ -p tcp --dport 5060:5082 -j TCPSIP
-A PREROUTING -i eth+ -p udp --dport 5060:5082 -j UDPSIP
-A TCPSIP -m string --string "sundayddr" --algo bm -j BADSIP
-A TCPSIP -m string --string "sipsak" --algo bm -j BADSIP
-A TCPSIP -m string --string "sipvicious" --algo bm --icase -j BADSIP
-A TCPSIP -m string --string "friendly-scanner" --algo bm -j BADSIP
-A TCPSIP -m string --string "iWar" --algo bm -j BADSIP
-A TCPSIP -m string --string "sip-scan" --algo bm -j BADSIP
-A TCPSIP -m string --string "sipcli" --algo bm -j BADSIP
-A TCPSIP -m string --string "eyeBeam" --algo bm -j BADSIP
-A TCPSIP -m string --string "VaxSIPUserAgent" --algo bm -j BADSIP
-A TCPSIP -m string --string "sip:nm@nm" --algo bm -j BADSIP
-A TCPSIP -m string --string "sip:carol@chicago.com" --algo bm -j BADSIP
-A UDPSIP -m string --string "sundayddr" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sipsak" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sipvicious" --algo bm --icase --to 1500 -j BADSIP
-A UDPSIP -m string --string "friendly-scanner" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "iWar" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sip-scan" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sipcli" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "eyeBeam" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "VaxSIPUserAgent" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sip:nm@nm" --algo bm --to 1500 -j BADSIP
-A UDPSIP -m string --string "sip:carol@chicago.com" --algo bm --to 1500 -j BADSIP
-A BADSIP -m recent --set --name BADSIP -j DROP
-A NEWSIP -m recent --set --name MYSIP -j ACCEPT
COMMIT
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]
	:ICMPALL - [0:0]
	:IPSPF - [0:0]
	:ASIP - [0:0]
	:DPTS - [0:0]
	:RLMSET - [0:0]
	-A INPUT -p tcp --dport 5060:5082 -m conntrack --ctstate RELATED,ESTABLISHED -m recent ! --rcheck --name MYSIP -j DROP
	-A INPUT -m conntrack --ctstate INVALID -j DROP
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -m recent --update --name RLM --seconds 600 --hitcount 1 -j DROP
	-A INPUT -p icmp --icmp-type 255 -j ICMPALL
	# Allow DHCP traffic
	-A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
	-A INPUT -i eth+ -j IPSPF
	# Replace YOUR_SSH_PORT with your server's SSH port!
	-A INPUT -p tcp --dport YOUR_SSH_PORT -j ACCEPT
	-A INPUT -j ASIP
	-A INPUT -j DPTS
	-A INPUT -m limit --limit 10/min -j LOG
	-A INPUT -j DROP
	-A ICMPALL -p icmp --fragment -j DROP
	-A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
	-A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
	-A ICMPALL -p icmp -j DROP
	# Drop packets FROM bogon IPv4 addresses
	# Delete the line below if your server uses this range:
	-A IPSPF -s 10.0.0.0/8 -j DROP
	# Same as above
	-A IPSPF -s 172.16.0.0/12 -j DROP
	# Save as above
	-A IPSPF -s 192.168.0.0/16 -j DROP
	-A IPSPF -s 0.0.0.0/8 -j DROP
	-A IPSPF -s 100.64.0.0/10 -j DROP
	-A IPSPF -s 127.0.0.0/8 -j DROP
	-A IPSPF -s 169.254.0.0/16 -j DROP
	-A IPSPF -s 192.0.0.0/24 -j DROP
	-A IPSPF -s 192.0.2.0/24 -j DROP
	-A IPSPF -s 198.18.0.0/15 -j DROP
	-A IPSPF -s 198.51.100.0/24 -j DROP
	-A IPSPF -s 203.0.113.0/24 -j DROP
	-A IPSPF -s 224.0.0.0/4 -j DROP
	-A IPSPF -s 240.0.0.0/4 -j DROP
	-A IPSPF -s 255.255.255.255 -j DROP
	# Drop packets TO broadcast/multicast/loopback IPs
	-A IPSPF -d 0.0.0.0/8 -j DROP
	-A IPSPF -d 127.0.0.0/8 -j DROP
	-A IPSPF -d 224.0.0.0/4 -j DROP
	-A IPSPF -d 255.255.255.255 -j DROP
	# These are some bad TCP flags used in attacks:
	-A IPSPF -p tcp --tcp-flags ALL NONE -j DROP
	-A IPSPF -p tcp --tcp-flags ALL ALL -j DROP
	-A IPSPF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
	-A IPSPF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
	-A IPSPF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
	-A IPSPF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
	-A IPSPF -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
	# Reject NEW TCP packets w/ ACK flag. Someone could be sending packets with your server's IP as his fake IP
	-A IPSPF -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
	# Drop NEW TCP packets w/o SYN flag
	-A IPSPF -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
	# Drop empty UDP packets (lengths 0 to 28)
	-A IPSPF -p udp -m length --length 0:28 -j DROP
	# Limit incoming NEW TCP connections to 10/sec for each IP (configurable)
	-A IPSPF -p tcp --syn -m recent --update --name INSYN --seconds 1 --hitcount 11 -j DROP
	-A IPSPF -p tcp --syn -m recent --set --name INSYN -j RETURN
	-A IPSPF -j RETURN
	# Change to ACCEPT if FTP server:
	-A DPTS -p tcp --dport 21 -j DROP
	# Remember to change your SSH port first!
	# If you use port 22, change this to ACCEPT!
	-A DPTS -p tcp --dport 22 -j RLMSET
	-A DPTS -p tcp --dport 23 -j RLMSET
	# Change to ACCEPT if MAIL server:
	-A DPTS -p tcp --dport 25 -j RLMSET
	# Note: Port 80 and/or 443 are needed to access the FreePBX GUI.
	# For security, do NOT open them here. Use SSH port forwarding instead.
	-A DPTS -p tcp --dport 80 -j DROP
	-A DPTS -p tcp --dport 443 -j DROP
	-A DPTS -p tcp --dport 1433 -j RLMSET
	-A DPTS -p tcp --dport 3128 -j RLMSET
	# Change to ACCEPT if Internet-facing MySQL server:
	-A DPTS -p tcp --dport 3306 -j RLMSET
	-A DPTS -p tcp --dport 3389 -j RLMSET
	-A DPTS -p tcp --dport 4899 -j RLMSET
	-A DPTS -p tcp --dport 5900 -j RLMSET
	-A DPTS -j RETURN
	-A RLMSET -m recent --set --name RLM -j DROP
	-A ASIP -p tcp --dport 5060:5082 -j ACCEPT
	-A ASIP -p udp --dport 5060:5082 -m recent --update --name MYSIP -j ACCEPT
	-A ASIP -p udp --dport 5060:5082 -j DROP
	-A ASIP -p udp --dport 10000:20000 -j ACCEPT
	-A ASIP -j RETURN
	COMMIT
	*raw
	:PREROUTING ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:BADSIP - [0:0]
	:TCPSIP - [0:0]
	:UDPSIP - [0:0]
	:NEWSIP - [0:0]
	# IMPORTANT: Replace "YOUR_HOSTNAME.no-ip.com" with the dynamic IP hostname you have set up!
	-A PREROUTING -i eth+ -m recent --update --name MYSIP -j ACCEPT
	-A PREROUTING -i eth+ -p tcp --dport 5060:5082 -m string --string "sip:YOUR_HOSTNAME.no-ip.com" --algo bm --icase -j NEWSIP
	-A PREROUTING -i eth+ -p udp --dport 5060:5082 -m string --string "sip:YOUR_HOSTNAME.no-ip.com" --algo bm --to 1500 --icase -j NEWSIP
	-A PREROUTING -i eth+ -m recent --update --name BADSIP -j DROP
	-A PREROUTING -i eth+ -p tcp --dport 5060:5082 -j TCPSIP
	-A PREROUTING -i eth+ -p udp --dport 5060:5082 -j UDPSIP
	-A TCPSIP -m string --string "sundayddr" --algo bm -j BADSIP
	-A TCPSIP -m string --string "sipsak" --algo bm -j BADSIP
	-A TCPSIP -m string --string "sipvicious" --algo bm --icase -j BADSIP
	-A TCPSIP -m string --string "friendly-scanner" --algo bm -j BADSIP
	-A TCPSIP -m string --string "iWar" --algo bm -j BADSIP
	-A TCPSIP -m string --string "sip-scan" --algo bm -j BADSIP
	-A TCPSIP -m string --string "sipcli" --algo bm -j BADSIP
	-A TCPSIP -m string --string "eyeBeam" --algo bm -j BADSIP
	-A TCPSIP -m string --string "VaxSIPUserAgent" --algo bm -j BADSIP
	-A TCPSIP -m string --string "sip:nm@nm" --algo bm -j BADSIP
	-A TCPSIP -m string --string "sip:carol@chicago.com" --algo bm -j BADSIP
	-A UDPSIP -m string --string "sundayddr" --algo bm --to 1500 -j BADSIP
	-A UDPSIP -m string --string "sipsak" --algo bm --to 1500 -j BADSIP
	-A UDPSIP -m string --string "sipvicious" --algo bm --icase --to 1500 -j BADSIP
	-A UDPSIP -m string --string "friendly-scanner" --algo bm --to 1500 -j BADSIP
	-A UDPSIP -m string --string "iWar" --algo bm --to 1500 -j BADSIP
	-A UDPSIP -m string --string "sip-scan" --algo bm --to 1500 -j BADSIP
	-A UDPSIP -m string --string "sipcli" --algo bm --to 1500 -j BADSIP
	-A UDPSIP -m string --string "eyeBeam" --algo bm --to 1500 -j BADSIP
	-A UDPSIP -m string --string "VaxSIPUserAgent" --algo bm --to 1500 -j BADSIP
	-A UDPSIP -m string --string "sip:nm@nm" --algo bm --to 1500 -j BADSIP
	-A UDPSIP -m string --string "sip:carol@chicago.com" --algo bm --to 1500 -j BADSIP
	-A BADSIP -m recent --set --name BADSIP -j DROP
	-A NEWSIP -m recent --set --name MYSIP -j ACCEPT
	COMMIT