How to insert an IPTABLES command as first rules in firewall

Asterisk 13.22.0, FreePBX

I want to use ipset to block out countries that I don’t want access to my PBX.
First I setup ipset with a block of all IP addresses to block
I use the following rule:
-A INPUT -m set --match-set block src -j DROP
In the past I just added this to my iptables file.
Now there is a advanced feature for the firewall to add custom rules in /etc/firewall-4.rules. This works but it does not put it as the first rule.
If I do a iptables -L -n I get
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SIP all –
fpbxfirewall all –
DROP all – match-set block src

This allows evreything to be processed first. And fpbxfirewall does not have a RETURN at the end so it seems that my rule is not even acted on.

iptables uses -A to append, -I to insert rules, to insert as rule 1 to the INPUT chain then

iptables -I INPUT 1 . . .

IMO, blocking by country provides almost no protection, though it requires considerable administrative effort and might block a legitimate user, e.g he’s on vacation and trying to call in.

Know your enemy! I consider three ‘grades’ of attacks: Grade 1, the weakest but by far the most common, come from automated tools that probe every IPv4 address on the internet for vulnerabilities in SIP, HTTP, etc. Grade 2 attacks target your system specifically, e.g. a competitor trying to obtain your customer list or disrupt your operation, or a former customer or vendor seeking revenge for a perceived wrong. Grade 3, the strongest, come from someone with internal knowledge of your system, e.g. a disgruntled employee, former employee or contractor.

A home or very small business might only be concerned about grade 1. Simply hiding everything behind a ‘secret’ domain name will provide virtually complete protection, without significant inconveniences. The scanning bots never see any response on your SIP ports; HTTP(S) requests get only a dummy site. They don’t learn that you have a PBX. The number of authentication failures in your log is zero. Any that appear are almost certainly caused by misconfiguration of your equipment.

I’ve run a test system with only 6 iptables rules, not even fail2ban. After several months, there have been no unexpected authentication failures logged, see PBX Security . (Port 22 in the example should be replaced with a non-standard value.)

Of course, such a setup provides almost no protection against grade 2 (hard to keep the domain name secret) or 3 (attacker already knows it), so a firewall for a larger business needs additional restrictions such as IP address whitelists or certificate-based authentication. However, this should be on top of your grade 1 protection. The number of authentication failures from automated tools should still be zero (if Fail2Ban bans anything, something’s wrong).

Blocking requests from specific countries does not significantly help. The grade 1 attackers (from any country) are already effectively blocked. Grade 2 and 3 attackers are likely in your country. If not, they surely know what country you are in and will use a VPN to make the attack.

If grade 1 is your only concern, just set up a secret domain name and you can then spend your time improving the phone system in other ways or on other aspects of your business. If threatened by grade 2 or 3, design your defenses accordingly.

Interesting, I started to enter this message a year or so ago. Before doing so I figured it out. I posted another message today and I guess it was posted at the same time.

Thanks for the reply.

Glad you said IMO.
I’ve been running VoIP servers for over 20 years and been very successful protecting my servers.
Most maintenance is automated.
I also have my opinion.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.