How to configure firewall IPTABLES on Vicidial on cloud .
If you are hosting your Vicidial on the cloud then there are big issue with illegal’s SIP registration attacks and illegal’s calls issue.
So its better to block every thing allow your IPs and RTP packets . this need to be done very carefully otherwise you will lock your self.
Here I am giving an example step by step . and I hope someone can come up some good addition to secure more .
Access your server by ssh
iptables -F iptables -N SIP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s X.X.X.X -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 8.8.8.8/32 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j SIP iptables -A INPUT -p udp --dport 5060 -j DROP iptables -A INPUT -p udp --dport 5061 -j SIP iptables -A INPUT -p udp --dport 5061 -j DROP iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT iptables -I INPUT 1 -i ens192 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 2 -i ens192 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A SIP -s X.X.X.X/32 -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT /sbin/service iptables save
Note:- change x.x.x.x with your / agent ip address which you want to allow .
Please do it very carefully because you can lock your self by mistake. I have No responsibility for any cause or issue happened after using above iptables. I am just giving an idea and looking for some input.
Below output of iptables are the example I have used.
# Generated by iptables-save v1.4.21 on Tue Jul 6 08:10:08 2021 *nat :PREROUTING ACCEPT [5641:1856947] :INPUT ACCEPT [875:315565] :OUTPUT ACCEPT [1795:125331] :POSTROUTING ACCEPT [1795:125331] COMMIT # Completed on Tue Jul 6 08:10:08 2021 # Generated by iptables-save v1.4.21 on Tue Jul 6 08:10:08 2021 *mangle :PREROUTING ACCEPT [187638:67356467] :INPUT ACCEPT [187624:67353261] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [181954:73026567] :POSTROUTING ACCEPT [181954:73026567] COMMIT # Completed on Tue Jul 6 08:10:08 2021 # Generated by iptables-save v1.4.21 on Tue Jul 6 08:10:08 2021 *filter :INPUT DROP [981:280388] :FORWARD DROP [0:0] :OUTPUT ACCEPT [14329:2109716] :SIP - [0:0] -A INPUT -i ens192 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i ens192 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 101.101.101.0/24 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 5060 -j SIP -A INPUT -p udp -m udp --dport 5060 -j DROP -A INPUT -p udp -m udp --dport 5061 -j SIP -A INPUT -p udp -m udp --dport 5061 -j DROP -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT -A SIP -s 101.101.101.101/32 -j ACCEPT COMMIT # Completed on Tue Jul 6 08:10:08 2021 [root@vicidialdemo ~]# Now you can allow your Agents with below commands iptables -A SIP -s agent IP -j ACCEPT for example agent machine public IP is 4.4.4.4 then command will be iptables -A SIP -s 4.4.4.4 -j ACCEPT