Am 27.07.2010 08:42, schrieb Motiejus Jakštys: > If all you need is block the SIP traffic from external sources, you > may do the following: > # iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 5060 -j ACCEPT > # iptables -A INPUT -p udp --dport 5060 -j DROP > > # iptables-save> /etc/iptables.up.rules > and somewhere in init scripts (depending on your lsb release): > # iptables-restore< /etc/iptables.up.rules > > fail2ban is more suitable if you have external environment (plus it's > more complicated than just these 2 rules). >
Hello Motiejus, Hello Nick! thanks for your answers. My OP was definitely not meant as a request for help. I just wanted to start some small discussion. The point is that a) I don't know fail2ban, and b) I think that small box which runs my asterisk wouldn't take another additional application (like fail2ban) @Motiejus: Thanks for your rules! Since it seems that you are an iptables expert, may I ask you: I want to restrict SIP traffic to my internal network AND to a special adress-range (adresses of my voip provider) from external network. iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 5060 -j ACCEPT iptables -A INPUT -m iprange --src-range [FROM_IP]-[TO_IP] -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j DROP Would that do the trick ? But that would keep out any calls via ENUM mechanism too. Am I right? Norbert -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users