Restricting access to specific ports - Whitelist ?

[TomT]

Firmware:376.45(Merlin build)
ASUS AC68U

Hi

I have port 5060 open on my network for SIP traffic. This works well, but I've noticed an increase in attempted connections from random IP Addresses.

Is there anyway I can build a white list of addresses that can connect to port 5060 & other addresses that can connect to port 5061 ?
But block all other attempts ?

Thanks.

 

[TomT]

Can "Network Services Filter" be used to do this ?

or is this for outbound LAN Traffic only ?

 

[dumping99]

http://www.snbforums.com/threads/whitelist-filtering-with-port-forwards.22086/

similar, but not exactly what you are trying to do.

 

[TomT]

Thanks
on my router I have nothing in jffs/scripts.

Do I just create a nat-start file ? does this need any specific ownership or permissions ?

 

[faria]

Thanks
on my router I have nothing in jffs/scripts.

Do I just create a nat-start file ? does this need any specific ownership or permissions ?

Yes and yes,
use this command to st the corredt permissions to jffs/scripts contents via terminal.
chmod a+rx /jffs/scripts/*

 

[TomT]

Hi.
I'm looking at this again.

I want to allow 5060 from a couple of selected IP Addresses and control where it routes to via the routers GUI Virtual Server / Port Forwarding.
Is that possible, or will it have to be done via the command line once I start doing this ?

Would an entries like this work in the nat-start script with forwarding controlled via the gui ?

iptables -A INPUT -p tcp --dport 5060 -s 91.146.132.123 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060 -s sipgate.co.uk -j ACCEPT
iptables -A INPUT -p tcp --dport 5060 -s 88.215.63.211 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060 -j DROP

Thanks

 

[RMerlin]

Hi.
I'm looking at this again.

I want to allow 5060 from a couple of selected IP Addresses and control where it routes to via the routers GUI Virtual Server / Port Forwarding.
Is that possible, or will it have to be done via the command line once I start doing this ?

Would an entries like this work in the nat-start script with forwarding controlled via the gui ?

iptables -A INPUT -p tcp --dport 5060 -s 91.146.132.123 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060 -s sipgate.co.uk -j ACCEPT
iptables -A INPUT -p tcp --dport 5060 -s 88.215.63.211 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060 -j DROP

Thanks

The rules must go in the FORWARD chain, not the INPUT chain.

 

[TomT]

Thanks, is that as simple as changing the rules to:
iptables -A FORWARD -p tcp --dport 5060 -s 91.146.132.123 -j ACCEPT

Should I still be able to use the GUI to manage the internal forwarding ?
Thanks

 

[RMerlin]

Thanks, is that as simple as changing the rules to:
iptables -A FORWARD -p tcp --dport 5060 -s 91.146.132.123 -j ACCEPT

Should I still be able to use the GUI to manage the internal forwarding ?
Thanks

You will need to insert them at the top rather than append them at the end, because by the time it reaches the end of the chain, the packet would have already been accepted.

 

[TomT]

I've created a nat-start in /jffs/scripts which contains the following:

iptables -A FORWARD -p tcp -m string --string voice --algo bm --dport 5068 -j ACCEPT
iptables -A FORWARD -p tcp -m string --string sipgate --algo bm --dport 5068 -j ACCEPT
iptables -A FORWARD -p tcp -m string --string sipgate --algo bm --dport 5060 -j ACCEPT
iptables -A FORWARD -p tcp -s 88.215.134.231 --dport 5060 -j ACCEPT
iptables -A FORWARD -p tcp -s 61.243.142.120 --dport 5060 -j ACCEPT
iptables -A FORWARD -p tcp --dport 5068 -j DROP
iptables -A FORWARD -p tcp --dport 5060 -j DROP

rebooted the router and it's not been loaded.
Running iptables -L doesn't show these rules.

If I run it manually using ./nat-start then run iptables -L, I see the rules.

I have run chmod a+rx /jffs/scripts/*

ls -lash shows in /jffs/scripts shows:
0 drwxr-xr-x 2 admin root 0 Dec 16 14:32 .
0 drwxr-xr-x 6 admin root 0 Dec 16 17:50 ..
0 -rwxrwxrwx 1 admin root 495 Dec 16 14:38 nat-start

I still have the forwarding configured in the router GUI.

Any idea why its not loading ?

Thanks

 

[TomT]

Also - I've just managed to telnet from a remote site to my public IP on port 5060.
So even though iptables is showing the rules, they don't seem to be working.

this is what iptables -L shows the the FORWARD.

Chain FORWARD (policy DROP)
target prot opt source destination
ipttolan all -- anywhere anywhere
iptfromlan all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere STRING match "voice" ALGO name bm TO 65535 tcp dpt:5068
ACCEPT tcp -- anywhere anywhere STRING match "sipgate" ALGO name bm TO 65535 tcp dpt:5068
ACCEPT tcp -- anywhere anywhere STRING match "sipgate" ALGO name bm TO 65535 tcp dpt:5060
ACCEPT tcp -- 88.215.134.231 anywhere tcp dpt:5060
ACCEPT tcp -- 61.243.142.120 anywhere tcp dpt:5060
DROP tcp -- anywhere anywhere tcp dpt:5068
DROP tcp -- anywhere anywhere tcp dpt:5060

Thanks

 

[ASAT]

Try this way instead. The rules will be inserted at the top in reverse order.

iptables -I FORWARD -p tcp --dport 5060 -j DROP
iptables -I FORWARD -p tcp --dport 5068 -j DROP
iptables -I FORWARD -p tcp -s 61.243.142.120 --dport 5060 -j ACCEPT
iptables -I FORWARD -p tcp -s 88.215.134.231 --dport 5060 -j ACCEPT
iptables -I FORWARD -p tcp -m string --string sipgate --algo bm --dport 5060 -j ACCEPT
iptables -I FORWARD -p tcp -m string --string sipgate --algo bm --dport 5068 -j ACCEPT
iptables -I FORWARD -p tcp -m string --string voice --algo bm --dport 5068 -j ACCEPT

 

[TomT]

Thanks I'll try this in the morning and reboot the router.

 

[TomT]

Hi ASAT,
The new rules seem to be working, but only when I manually run ./nat-start in /jffs/scripts/
How do I get that to run automatically on boot ?

I have "Enable JFFS custom scripts and configs" enabled and I've run chmod a+rx /jffs/scripts/*
Any ideas ?


Thanks

 

[TomT]

Just realised I hadn't added

#!/bin/sh

to the top of the script..

I'll reboot later and see if that fixes it

 

[ASAT]

The new rules seem to be working, but only when I manually run.

It also works if you put the rules in "firewall-start" script. However, if you switch to Repeater mode, then I can't remember which one doesn't run.

 

[Etz]

It also works if you put the rules in "firewall-start" script. However, if you switch to Repeater mode, then I can't remember which one doesn't run.

Most likely nat-start, as repeater is basically bridge.

 

[TomT]

Hi

This doesn't seem to be working correctly.
This is what my FORWARD chain looks like:

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere STRING match "voice" ALGO name bm TO 65535 tcp dpt:5068
ACCEPT tcp -- anywhere anywhere STRING match "sipgate" ALGO name bm TO 65535 tcp dpt:5068
ACCEPT tcp -- anywhere anywhere STRING match "sipgate" ALGO name bm TO 65535 tcp dpt:5060
ACCEPT tcp -- 88.215.134.231 anywhere tcp dpt:5060
ACCEPT tcp -- 61.243.142.120 anywhere tcp dpt:5060
DROP tcp -- anywhere anywhere tcp dpt:5068
DROP tcp -- anywhere anywhere tcp dpt:5060
ipttolan all -- anywhere anywhere
iptfromlan all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere


Yet I'm getting lots of sipvicious probes from IP Address that I wouldn't have expected.
eg: 69.64.61.194, 62.210.112.42, 199.48.164.27

How are these getting past the iptables rules ?
Any idea how I can secure this ?

Thanks

 

[TomT]

Just realised the sipvicious attempts are UDP, I've duplicated the rules to do tcp and UDP

 

[TomT]

OK - I'm still having issues.
This is what I've currently got setup

iptables -I FORWARD -p udp --dport 5060 -j DROP
iptables -I FORWARD -p udp --dport 5068 -j DROP
iptables -I FORWARD -p udp -s 61.243.142.120 --dport 5060 -j ACCEPT
iptables -I FORWARD -p udp -s 88.215.134.231 --dport 5060 -j ACCEPT
iptables -I FORWARD -p udp -m string --string sipgate --algo bm --dport 5060 -j ACCEPT
iptables -I FORWARD -p udp -m string --string sipgate --algo bm --dport 5068 -j ACCEPT
iptables -I FORWARD -p udp -m string --string voice --algo bm --dport 5068 -j ACCEPT

iptables -I FORWARD -p tcp --dport 5060 -j DROP
iptables -I FORWARD -p tcp --dport 5068 -j DROP
iptables -I FORWARD -p tcp -s 61.243.142.120 --dport 5060 -j ACCEPT
iptables -I FORWARD -p tcp -s 88.215.134.231 --dport 5060 -j ACCEPT
iptables -I FORWARD -p tcp -m string --string sipgate --algo bm --dport 5060 -j ACCEPT
iptables -I FORWARD -p tcp -m string --string sipgate --algo bm --dport 5068 -j ACCEPT
iptables -I FORWARD -p tcp -m string --string voice --algo bm --dport 5068 -j ACCEPT

I'm finding this is blocking ALL UDP/TCP for 5060 & 5068 including the entries specified to be allowed.
Why ?

If I remove the:

iptables -I FORWARD -p udp --dport 5060 -j DROP

Then all my SIP trunks work, but I'm open to anything again..
Any ideas how to block everything on port 5060 & 5068 except the entries I've listed ?

Thanks