I am trying to secure a SIP server by using NAT to translate a non-standard public port 9742 to 5060 while allowing some whitelisted public IPs to actually connect to 5060. Below is the IP tables configuration that is giving me headaches. It should be noted that my SIP server can only listen on a single port - otherwise, this would be simple... If there is an easier way to do this, feel free to embarrass me!
Here is specifically what I am trying to make happen:
1) Tag incoming connections to 5060 before hitting the NAT table to distinguish between raw and translated packets
2) Translate port 9742 to 5060 in the NAT table
3) In the filter table, jump to the whitelist chain when a packet is tagged
4) Drop any tagged packets that are not from an accepted IP
5) Allow all remaining port 5060 traffic - which should only be the packets translated from 9742
Any of the following will allow a public connection, but will also create an undesirable condition:
1) Remove the line -A INPUT -m mark --mark 0x8 -j SIPUSER
2) Remove the mangle table
3) Either of the above, plus Replace -A INPUT -p udp -m udp --dport 5060 -j ACCEPT with -A INPUT -p udp -m udp --dport 5060 -j SIPUSER
Items 1 and 2 allow all public connections to 5060, Item 3 allows connections ONLY from whitelisted IPs regardless of port used (5060 or 9742). The latter proves that this is not a problem with the SIPUSER chain. I have verified that the connection I am having trouble with is coming from an IP in the chain (64.2.142.96).
[code]
*mangle
-A PREROUTING -p udp -m udp --dport 5060 -j MARK --set-mark 0x8
COMMIT
#
*nat
-A PREROUTING -p udp -m udp --dport 9742 -j REDIRECT --to-port 5060
COMMIT
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:SIPUSER - [0:0]
#
-A INPUT -m mark --mark 0x8 -j SIPUSER
#
# Allow local LAN connections...
-A INPUT -s 192.168.12.0/24 -j ACCEPT
#
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
#
# Users allowed to access standard SIP Port 5060...
-A SIPUSER -s 64.2.142.0/24 -j ACCEPT
-A SIPUSER -s 66.241.99.0/24 -j ACCEPT
-A SIPUSER -s 66.241.96.0/24 -j ACCEPT
-A SIPUSER -j DROP
COMMIT
[/code]
IPTables MARK and NAT assistance needed
Support for security such as Firewalls and securing linux
-
tguarriello
- Posts: 1
- Joined: 2013/09/22 15:35:38
Return to “CentOS 5 - Security Support”
Jump to
- CentOS General Purpose
- ↳ CentOS - FAQ & Readme First
- ↳ Announcements
- ↳ CentOS Social
- ↳ User Comments
- ↳ Website Problems
- CentOS 8 / 8-Stream / 9-Stream
- ↳ 8 /8-Stream / 9-Stream - General Support
- ↳ 8 /8-Stream / 9-Stream - Hardware Support
- ↳ 8 /8-Stream / 9-Stream - Networking Support
- ↳ 8 /8-Stream / 9-Stream - Security Support
- CentOS 7
- ↳ CentOS 7 - General Support
- ↳ CentOS 7 - Software Support
- ↳ CentOS 7 - Hardware Support
- ↳ CentOS 7 - Networking Support
- ↳ CentOS 7 - Security Support
- CentOS Legacy Versions
- ↳ CentOS 5
- ↳ CentOS 5 - General Support
- ↳ CentOS 5 - Software Support
- ↳ CentOS 5 - Hardware Support
- ↳ CentOS 5 - Networking Support
- ↳ CentOS 5 - Server Support
- ↳ CentOS 5 - Security Support
- ↳ CentOS 5 - Oracle Installation and Support
- ↳ CentOS 5 - Miscellaneous Questions
- ↳ CentOS 6
- ↳ CentOS 6 - General Support
- ↳ CentOS 6 - Software Support
- ↳ CentOS 6 - Hardware Support
- ↳ CentOS 6 - Networking Support
- ↳ CentOS 6 - Security Support