How to configure firewall IPTABLES on Vicidial on cloud

How to configure firewall IPTABLES on Vicidial on cloud .

If you are hosting your Vicidial on the cloud then there are big issue with illegal’s SIP registration attacks and illegal’s calls issue.

So its better to block every thing  allow your IPs and RTP packets . this need to be done very carefully otherwise you will lock your self.

Here I am giving an example step by step . and I hope someone can come up some good addition to secure more .

Access your server by ssh

iptables -F
iptables -N SIP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s X.X.X.X -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 8.8.8.8/32 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j SIP
iptables -A INPUT -p udp --dport 5060 -j DROP
iptables -A INPUT -p udp --dport 5061 -j SIP
iptables -A INPUT -p udp --dport 5061 -j DROP
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT
iptables -I INPUT 1 -i ens192 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -i ens192 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A SIP -s X.X.X.X/32 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
/sbin/service iptables save


Note:-  change  x.x.x.x   with your / agent  ip address which you want to allow .

Please do it very carefully because you can lock your self by mistake. I have No responsibility for any cause or issue happened after using above iptables. I am just giving an idea and looking for some input.

Below output of iptables are the example I have used.

# Generated by iptables-save v1.4.21 on Tue Jul  6 08:10:08 2021
*nat
:PREROUTING ACCEPT [5641:1856947]
:INPUT ACCEPT [875:315565]
:OUTPUT ACCEPT [1795:125331]
:POSTROUTING ACCEPT [1795:125331]
COMMIT
# Completed on Tue Jul  6 08:10:08 2021
# Generated by iptables-save v1.4.21 on Tue Jul  6 08:10:08 2021
*mangle
:PREROUTING ACCEPT [187638:67356467]
:INPUT ACCEPT [187624:67353261]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [181954:73026567]
:POSTROUTING ACCEPT [181954:73026567]
COMMIT
# Completed on Tue Jul  6 08:10:08 2021
# Generated by iptables-save v1.4.21 on Tue Jul  6 08:10:08 2021
*filter
:INPUT DROP [981:280388]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [14329:2109716]
:SIP - [0:0]
-A INPUT -i ens192 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i ens192 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 101.101.101.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j SIP
-A INPUT -p udp -m udp --dport 5060 -j DROP
-A INPUT -p udp -m udp --dport 5061 -j SIP
-A INPUT -p udp -m udp --dport 5061 -j DROP
-A INPUT -s 8.8.8.8/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A SIP -s 101.101.101.101/32 -j ACCEPT
COMMIT
# Completed on Tue Jul  6 08:10:08 2021
[root@vicidialdemo ~]#


Now you can allow your Agents with below commands 

iptables -A SIP -s agent IP -j ACCEPT
for example agent machine public IP is 4.4.4.4
then command will be 
iptables -A SIP -s 4.4.4.4 -j ACCEPT


Your email address will not be published.