----- "A J Stiles" <asterisk_l...@earthshod.co.uk> wrote: > On Friday 02 Jul 2010, Ira wrote: > > At 11:14 PM 7/1/2010, you wrote: > > >Same activity from these IPs: > > >174.129.137.135 > > > > Given that my Asterisk box is used for nothing but Asterisk and I > > know the small number of IPs that need to have access is there an > > easy way to use iptables to block everything but those 6 IPs and > > provider addresses? > > Yes, dead easy! Just configure iptables to accept IAX traffic (TCP > and UDP > port 4569) only from trusted IP addresses, and drop it from anywhere > else. > Here I am assuming eth0 is the "outside" connection, and the permitted > IP > addresses are 10.11.12.13 and 10.11.12.14. > > # accept IAX traffic (port 4569) from 10.11.12.13 > iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p tcp -m tcp --dport > 4569 -j > ACCEPT > iptables -A FORWARD -s 10.11.12.13/32 -i eth0 -p udp -m udp --dport > 4569 -j > ACCEPT > # accept IAX traffic (port 4569) from 10.11.12.14 > iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p tcp -m tcp --dport > 4569 -j > ACCEPT > iptables -A FORWARD -s 10.11.12.14/32 -i eth0 -p udp -m udp --dport > 4569 -j > ACCEPT > # drop all other IAX traffic > iptables -A FORWARD -i eth0 -p udp -m udp --dport 4569 -j DROP > iptables -A FORWARD -i eth0 -p tcp -m tcp --dport 4569 -j DROP > > Obviously if the "permitted" connection addresses fall neatly into a > block, > you can use fewer rules :) If there are a few addresses in the block > that > shouldn't be permitted, put one or more DROP rules first for those > addresses, > then an ACCEPT rule for (the rest of) the block, then another DROP > rule. >
IAX is UDP only, not TCP. Also, what if he's using SIP (UDP/5060) for connectivity to the outside world? He'll need rules for this, in addition to RTP media (typically UDP/10000-20000)... --Tim -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users