Community discussions

MikroTik App
  4. RouterOS
  5. General

SIP FIREWALL

Post Reply
 
edon
just joined
Topic Author
Posts: 23
Joined: Sun Mar 20, 2011 10:51 pm

SIP FIREWALL

Tue Aug 16, 2011 8:34 pm

Hi ... I need to restrict access to my SIP server for all the traffic and allow only like 10 ip addresses.

example: my sip server ( windows machine) has a public ip ( 12.12.12.12).
I have internal clients connected with private addresses (192.168.1.0/24) - I want to allow these.
and I have couple of public ip addresses which i want to allow to have access to my sip server (port 5060)

thnx.
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: SIP FIREWALL

Tue Aug 16, 2011 9:01 pm

If the SIP server is connected via a RouterOS device - there is nothing in your post that indicates where the server is and how it connects to the world - use the IP firewall filters in the forward chain. Something like below, which makes up a bunch of random networks, and assumes the SIP server is at 10.0.0.2 (real IP address after any NAT).
Code: Select all
/ip firewall address-list
add list=permit-sip address=192.168.1.0/24
add list=permit-sip address=172.16.0.0/24
add list=permit-sip address=2.2.2.2
add list=permit-sip address=3.3.3.3
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward src-address-list=permit-sip dst-address=10.0.0.2 action=accept
add chain=forward dst-address=10.0.0.2 action=drop
If that doesn't help, give more details. Way more details. Preferably a network diagram with accurately labeled devices, links, and IP addresses.
Top
 
edon
just joined
Topic Author
Posts: 23
Joined: Sun Mar 20, 2011 10:51 pm

Re: SIP FIREWALL

Tue Aug 16, 2011 9:59 pm

If the SIP server is connected via a RouterOS device - there is nothing in your post that indicates where the server is and how it connects to the world - use the IP firewall filters in the forward chain. Something like below, which makes up a bunch of random networks, and assumes the SIP server is at 10.0.0.2 (real IP address after any NAT).
Code: Select all
/ip firewall address-list
add list=permit-sip address=192.168.1.0/24
add list=permit-sip address=172.16.0.0/24
add list=permit-sip address=2.2.2.2
add list=permit-sip address=3.3.3.3
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward src-address-list=permit-sip dst-address=10.0.0.2 action=accept
add chain=forward dst-address=10.0.0.2 action=drop
If that doesn't help, give more details. Way more details. Preferably a network diagram with accurately labeled devices, links, and IP addresses.



Thnx for your reply:

The server is connected directly into RouterOS, clients are natted to the same RouterOS. (these will be 192.168.1.0/24), clients in my office.

I dont' want to block the whole traffic to it, I only want to block 5060 SIP traffic.
Top
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: SIP FIREWALL

Tue Aug 16, 2011 10:56 pm

Then add "protocol=" and "dst-port=" qualifiers to the drop rules.

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot], haung05, infabo and 142 guests
  4. RouterOS
  5. General