Blog de Ubuntu en Español Blog [no oficial] de Ubuntu en Español

4Dec/100

iptables para asterisk

codigo simple para tener nuestro firewall local en un servidor con asterisk, no lo hice yo pero funciona de maravilla

#!/bin/bash
EXIF="eth0"

# Clear any existing firewall stuff before we start
/sbin/iptables --flush

# As the default policies, drop all incoming traffic but allow all
# outgoing traffic.  This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT

# Allow all incoming traffic if it is coming from the local loopback device
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Accept all incoming traffic associated with an established connection, or a "related" connection
/sbin/iptables -A INPUT -i $EXIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Check new packets are SYN packets for syn-flood protection
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Drop fragmented packets
/sbin/iptables -A INPUT -f -j DROP

# Drop malformed XMAS packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Drop null packets
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Allow connections to port 22 - ssh. You can add other ports you need in here
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 22 -m state --state NEW -j ACCEPT

# Allow connections from my machines
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 100.101.5.182 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 200.123.88.196 -j ACCEPT

# Allow SIP connections
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 5060 -m udp -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF --dport 5060 -m tcp -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF --dport 10000:20000 -m udp -j ACCEPT

# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# Log then drop any packets that are not allowed. You will probably want to turn off the logging
#/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT

Post to Twitter Tweet This Post Post to Delicious Post to Delicious

Enjoy this article?

Consider subscribing to our rss feed!

Tagged as: , , , , , , , Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment


 

No trackbacks yet.

« HP DreamScreen 400, el PC táctil “todo en uno” con Linux Mi Escritorio de Diciembre »

Articulos Recientes

Archivos

Patrocinio