How to insert an IPTABLES command as first rules in firewall

General Help
1

Asterisk 13.22.0, FreePBX 14.0.5.25

I want to use ipset to block out countries that I don’t want access to my PBX.
First I setup ipset with a block of all IP addresses to block
I use the following rule:
-A INPUT -m set --match-set block src -j DROP
In the past I just added this to my iptables file.
Now there is a advanced feature for the firewall to add custom rules in /etc/firewall-4.rules. This works but it does not put it as the first rule.
If I do a iptables -L -n I get
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fpbxfirewall all – 0.0.0.0/0 0.0.0.0/0
DROP all – 0.0.0.0/0 0.0.0.0/0 match-set block src

This allows evreything to be processed first. And fpbxfirewall does not have a RETURN at the end so it seems that my rule is not even acted on.

2

iptables uses -A to append, -I to insert rules, to insert as rule 1 to the INPUT chain then

iptables -I INPUT 1 . . .

3

IMO, blocking by country provides almost no protection, though it requires considerable administrative effort and might block a legitimate user, e.g he’s on vacation and trying to call in.

Know your enemy! I consider three ‘grades’ of attacks: Grade 1, the weakest but by far the most common, come from automated tools that probe every IPv4 address on the internet for vulnerabilities in SIP, HTTP, etc. Grade 2 attacks target your system specifically, e.g. a competitor trying to obtain your customer list or disrupt your operation, or a former customer or vendor seeking revenge for a perceived wrong. Grade 3, the strongest, come from someone with internal knowledge of your system, e.g. a disgruntled employee, former employee or contractor.

A home or very small business might only be concerned about grade 1. Simply hiding everything behind a ‘secret’ domain name will provide virtually complete protection, without significant inconveniences. The scanning bots never see any response on your SIP ports; HTTP(S) requests get only a dummy site. They don’t learn that you have a PBX. The number of authentication failures in your log is zero. Any that appear are almost certainly caused by misconfiguration of your equipment.

I’ve run a test system with only 6 iptables rules, not even fail2ban. After several months, there have been no unexpected authentication failures logged, see PBX Security . (Port 22 in the example should be replaced with a non-standard value.)

Of course, such a setup provides almost no protection against grade 2 (hard to keep the domain name secret) or 3 (attacker already knows it), so a firewall for a larger business needs additional restrictions such as IP address whitelists or certificate-based authentication. However, this should be on top of your grade 1 protection. The number of authentication failures from automated tools should still be zero (if Fail2Ban bans anything, something’s wrong).

Blocking requests from specific countries does not significantly help. The grade 1 attackers (from any country) are already effectively blocked. Grade 2 and 3 attackers are likely in your country. If not, they surely know what country you are in and will use a VPN to make the attack.

If grade 1 is your only concern, just set up a secret domain name and you can then spend your time improving the phone system in other ways or on other aspects of your business. If threatened by grade 2 or 3, design your defenses accordingly.

4

Interesting, I started to enter this message a year or so ago. Before doing so I figured it out. I posted another message today and I guess it was posted at the same time.

Thanks for the reply.

5

Glad you said IMO.
I’ve been running VoIP servers for over 20 years and been very successful protecting my servers.
Most maintenance is automated.
I also have my opinion.

6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.