Some Basic Firewall Rules Each SIP Server Must Have

Please find the bash script to allow and block some unwanted traffic

#!/bin/bash

#DROP all rules
`sudo iptables -F`

# Local Communication
`sudo iptables -A INPUT -i lo -j ACCEPT`
`sudo iptables -A OUTPUT -o lo -j ACCEPT`

#SSH
`sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
`sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT`

# HTTPS
`sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
`sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT`

# HTTPS
`sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
`sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT`

# Homer
`sudo iptables -A INPUT -p tcp --dport 9080 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
`sudo iptables -A OUTPUT -p tcp --sport 9080 -m conntrack --ctstate ESTABLISHED -j ACCEPT`

# HEPLIFY Server
`sudo iptables -A INPUT -p tcp --dport 9060 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
`sudo iptables -A OUTPUT -p tcp --sport 9060 -m conntrack --ctstate ESTABLISHED -j ACCEPT`
`sudo iptables -A INPUT -p udp --dport 9060 -j ACCEPT`
`sudo iptables -A OUTPUT -p udp --sport 9060 -j ACCEPT`

# SIP over TCP
`sudo iptables -A INPUT -p tcp --dport 5060 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
`sudo iptables -A OUTPUT -p tcp --sport 5060 -m conntrack --ctstate ESTABLISHED -j ACCEPT`
# SIP over TLS
`sudo iptables -A INPUT -p tcp --dport 5061 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
`sudo iptables -A OUTPUT -p tcp --sport 5061 -m conntrack --ctstate ESTABLISHED -j ACCEPT`
# SIP over UDP
`sudo iptables -A INPUT -p udp --dport 5060 -j ACCEPT`
`sudo iptables -A OUTPUT -p udp --sport 5060 -j ACCEPT`

# Prometheus Node Exporter
`sudo iptables -A INPUT -p tcp --dport 9100 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT`
`sudo iptables -A OUTPUT -p tcp --sport 9100 -m conntrack --ctstate ESTABLISHED -j ACCEPT`


# DROP INVALID Packets
`sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP`

# DROP all other unwanted Traffic
`sudo iptables -A INPUT -j DROP`

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

SIPp UAC Scenario to send RTP

Please install the latest sipp ( >=3.7.3 ) wget https://github.com/SIPp/sipp/releases/download/v3.7.3/sipp chmor +x sipp mv sipp /usr/bin...