IPTABLESFORVOIP

1. # sample configuration for ip6tables service
2. # you can edit this manually or use system-config-firewall
3. # please do not ask us to add additional ports/services to this default configuration
4. *filter
5. :INPUT ACCEPT [0:0]
6. :FORWARD ACCEPT [0:0]
7. :OUTPUT ACCEPT [0:0]
8. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
9. -A INPUT -i lo -j ACCEPT
10. -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
11. -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
12. -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
13. COMMIT
14. [root@ip-172-31-45-61 ~]# cat /etc/sysconfig/iptables
15. # Firewall configuration written by system-config-firewall
16. # Manual customization of this file is not recommended.
17. *mangle
18. -A OUTPUT -p udp -m udp --sport 5060 -j DSCP --set-dscp-class cs3
19. -A OUTPUT -p udp -m udp --dport 5060 -j DSCP --set-dscp-class cs3
20. -A OUTPUT -p udp -m udp --sport 16384:32767 -j DSCP --set-dscp-class ef
21. COMMIT
22. *filter
23. :INPUT ACCEPT [0:0]
24. :FORWARD ACCEPT [0:0]
25. :OUTPUT ACCEPT [0:0]
26. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
27. -A INPUT -i lo -j ACCEPT
28. #Blacklist
29. -A INPUT -s 186.225.25.133 -j DROP
30. -A INPUT -s 104.206.96.186 -j DROP
31. -A INPUT -s 163.172.205.227 -j DROP
32. -A INPUT -s 195.154.230.48 -m state --state NEW -j DROP
33. -A INPUT -s 199.48.164.49 -m state --state NEW -j DROP
34. -A INPUT -s 212.129.2.176 -m state --state NEW -j DROP
35. -A INPUT -s 46.165.243.199 -m state --state NEW -j DROP
36. -A INPUT -s 100.81.7.51 -m state --state NEW -j DROP
37. -A INPUT -s 195.154.63.172 -m state --state NEW -j DROP
38. #Fim Blacklist
39. #--------------------- Regras para Gerenciamento do Servidor
40. -A INPUT -m state --state NEW -m tcp -p tcp --dport 22004 -j ACCEPT
41. -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
42. -A INPUT -s 54.94.218.234 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
43. -A INPUT -i lo -p tcp --dport mysql -j ACCEPT
44. -A INPUT -p tcp --dport mysql -j DROP
45. -A INPUT -p icmp --icmp-type echo-request -j REJECT
46. -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT
47. #ZABBIX
48. -A INPUT -m state --state NEW -m udp -p udp -s 172.31.39.188 --match multiport --dports 161,10050,10051 -j ACCEPT
49. -A INPUT -m state --state NEW -m udp -p udp -s 54.94.218.234 --match multiport --dports 161,10050,10051 -j ACCEPT
50. #--------------------- Fim Regras para Gerenciamento do Servidor
51. #--------- Regra Temporario
52. #--------- FIM Regra Temporario
53. #Regras para ataques conhecidos
54. -A INPUT -j DROP -p udp -m string --string "pplsip" --algo bm
55. -A INPUT -j DROP -p udp -m string --string "sipcli" --algo bm
56. -A INPUT -j DROP -p udp -m string --string "sipvicious" --algo bm
57. -A INPUT -j DROP -p udp -m string --string "sip-scan" --algo bm
58. -A INPUT -j DROP -p udp -m string --string "sipsak" --algo bm
59. -A INPUT -j DROP -p udp -m string --string "sundayddr" --algo bm
60. -A INPUT -j DROP -p udp -m string --string "friendly-scanner" --algo bm
61. -A INPUT -j DROP -p udp -m string --string "iWar" --algo bm
62. -A INPUT -j DROP -p udp -m string --string "CSipSimple" --algo bm
63. -A INPUT -j DROP -p udp -m string --string "SIVuS" --algo bm
64. -A INPUT -j DROP -p udp -m string --string "Gulp" --algo bm
65. -A INPUT -j DROP -p udp -m string --string "sipv" --algo bm
66. -A INPUT -j DROP -p udp -m string --string "smap" --algo bm
67. -A INPUT -j DROP -p udp -m string --string "friendly-request" --algo bm
68. -A INPUT -j DROP -p udp -m string --string "VaxIPUserAgent" --algo bm
69. -A INPUT -j DROP -p udp -m string --string "VaxSIPUserAgent" --algo bm
70. -A INPUT -j DROP -p udp -m string --string "siparmyknife" --algo bm
71. -A INPUT -j DROP -p udp -m string --string "Test" --algo bm
72. -A INPUT -j DROP -p tcp --dport 5060 -m string --string "friendly-scanner" --algo bm
73. -A INPUT -j DROP -p tcp --dport 5080 -m string --string "friendly-scanner" --algo bm
74. -A INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
75. -A INPUT -j DROP -p udp --dport 5080 -m string --string "friendly-scanner" --algo bm
76. -A INPUT -j DROP -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
77. -A INPUT -j DROP -p tcp --dport 5060 -m string --string "VaxIPUserAgent" --algo bm
78. -A INPUT -j DROP -p tcp --dport 5080 -m string --string "VaxSIPUserAgent" --algo bm
79. -A INPUT -j DROP -p tcp --dport 5080 -m string --string "VaxIPUserAgent" --algo bm
80. -A INPUT -p udp -m udp --dport 5060 -m string --string "iWar" --algo bm --to 65535 -j DROP
81. -A INPUT -p udp -m udp --dport 5060 -m string --string "sipvicious" --algo bm --to 65535 -j DROP
82. -A INPUT -p udp -m udp --dport 5060 -m string --string "sipsak" --algo bm --to 65535 -j DROP
83. -A INPUT -p udp -m udp --dport 5060 -m string --string "sundayddr" --algo bm --to 65535 -j DROP
84. -A INPUT -p udp -m udp --dport 5060 -m string --string "friendly-scanner" --algo bm --to 65535 -j DROP
85. -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
86. -A INPUT -f -j DROP
87. -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
88. -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
89. -A FORWARD -j REJECT --reject-with icmp-host-prohibited
90. ##Fim da Regras para ataques conhecidos
91. #-----------------------Provedores----------------------
92. # -------- CODEXX SPV
93. -A INPUT -s 52.67.120.136 -m state --state NEW -m udp -p udp -m udp --dport 5060:5061 -j ACCEPT
94. -A INPUT -s 52.67.120.136 -m state --state NEW -m udp -p udp -m udp --dport 10000:60000 -j ACCEPT
95. ####-------- Fim SPV
96. # -------- IPCORP
97. -A INPUT -s 177.38.217.16 -m state --state NEW -m udp -p udp -m udp --dport 5060:5061 -j ACCEPT
98. -A INPUT -s 177.38.217.16 -m state --state NEW -m udp -p udp -m udp --dport 10000:60000 -j ACCEPT
99. ####-------- Fim IPCORP
100. #-----------------------Fim Provedores----------------------
101. #-----------------------Clientes Registrados atraves da Internet----------------------
102. -A INPUT -m state --state NEW -m udp -p udp -m udp --dport 5060:5061 -j ACCEPT
103. -A INPUT -m state --state NEW -m udp -p udp -m udp --dport 10000:20000 -j ACCEPT
104. # TALKIP
105. -A INPUT -s 186.225.25.132 -m state --state NEW -m udp -p udp -m udp --dport 4569 -j ACCEPT
106. -A INPUT -s 186.225.25.132 -m state --state NEW -m tcp -p tcp -m tcp --dport 4569 -j ACCEPT
107. ####----- FIM TALKIP
108. #-----------------------Fim Clientes Registrados atraves da Internet----------------------
109. #Fim Regras Para uso do VoIP
110. ##Regra pra uso do NFS
111. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p udp --dport 111 -j ACCEPT
112. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p tcp --dport 111 -j ACCEPT
113. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
114. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
115. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p tcp --dport 892 -j ACCEPT
116. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p udp --dport 32769 -j ACCEPT
117. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p tcp --dport 875 -j ACCEPT
118. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p udp --dport 875 -j ACCEPT
119. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p tcp --dport 662 -j ACCEPT
120. -A INPUT -s 172.31.39.188,172.31.39.189 -m state --state NEW -p udp --dport 662 -j ACCEPT
121. ###----Fim Rede interna
122. COMMIT