What is the best way to configure IP tables for incoming SIP registrations from remote extensions?
I’m interested in configurations using two factor authentication.
When I say remote extension I’m referring to an extension behind a unique public address / nat device.
For example, SIP client application for android installed on a Verizon phone which has a constantly changing public address as it wirelessly associates to different towers.
In my topology, an asterisk server sits behind another Linux firewall box with a public interface, and an internal network interface. (RFC 1918 non routable network 10.0.23.0/24)
The topology looks like this:
Internet --> cable modem --> Linux server Public interface DHCP --> Internal interface --> Non-managed switch on 10.0.23.0/24 network --> asterisk server at 10.0.23.10
As of now, the Linux firewall is doing DNAT’s of external connections to the internal host. This works fine as long as the public interface that the remote client is behind doesn’t change IP’s or I use something like dynamic DNS host record with a low TTL value.
I’m looking for a better way to do it.
I don’t want to just open UDP 5060 to the world because of DDOS, and bots trying to brute force authentication etc.
Googling turns up several pages that talk about rate limiting incoming SIP registration / invites, and requests. The accepted norm seems to be; Open SIP to the world, and then do things like rate limiting. What is the best practice here? I only have a small number of remote extensions that need to register with asterisk.
Is there a good way to only allow these connections?
For example here are some of the pages I have found:
http://www.voip-info.org/wiki/view/Asterisk+firewall+rules
http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation
My first idea was to use shorewall to setup iptables / netfilter with string matching to match on the user agent string in the packet, but shorewall doesn’t seem to support this in the rules file, and needs patchomatic-ng extension scripts to use it, and it seems to be frowned upon because according to the documentation, “the application level data stream can be split across packets in arbitrary ways” which could cause the string match to fail, on packet fragmentation, and leaves it vulnerable to half open attack.
Despite the warnings, I tested the following and other similar rules to see if I could get it to work, but it doesn’t seem to.
iptables -t nat -I net_dnat 10 -p udp -m udp --dport 5161 -m string --to 663 --string ‘CSimSimple’ --algo bm -j DNAT --to-destination 10.0.23.10:5060
Is there a better way to allow SIP registrations based on something other than the truly dynamic IP address of the remote extension?
Thank you in advance for any advice.