Protect my VOIP-server

epkulse · October 26, 2012, 10:05pm

Hi,

I am running a VoIP-server, Asterisk, which is constantly being accessed by people attempting to register fraudulent users. I have tried to setup rules to prevent this, but it seems they do not work. This is my setup:

0 ;;; Accept Established Connections
chain=input action=accept connection-state=established

1 ;;; Accept Related Connections
chain=input action=accept connection-state=related

2 ;;; Drop Invalid Connections
chain=input action=drop connection-state=invalid

3 ;;; Accept Incoming VOIP
chain=input action=accept protocol=udp src-address=80.244.65.70 src-port=5060

4 ;;; Accept incoming VOIP
chain=input action=accept protocol=udp src-address=193.105.226.106 src-port=5060

5 ;;; Accept Everything from LAN
chain=input action=accept in-interface=ether2-master-local

6 ;;; Drop Everything Else
chain=input action=drop

My Voip-providers are accepted in rule 3 and 4. Since these are the only services I offer from WAN, everything else initiated from WAN should be blocked. Then I have NAT-rules:

0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

1 chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=5060 protocol=udp in-interface=ether1-gateway dst-port=5060

2 chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=10000-10020 protocol=udp in-interface=ether1-gateway dst-port=10000-10020

BUT, I am not blocking access so I constantly have fraud attempts in my Asterisk logs…

So, I need help - what is wrong here?

BR

/Uffe

jandafields · October 29, 2012, 4:36pm

You are using the wrong chain.

INPUT is for controlling access the mikrotik router ITSELF, and will neither allow nor block access to any computers or servers behind it.

FORWARD is for controlling access to computers and servers connected to the router. THAT is what you want.

epkulse · October 29, 2012, 4:45pm

OK, I have revised the rules somewhat now. For the moment (at least) I have not noted any new fraud attempts.

Filter rules:

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Accept Established Connections
chain=input action=accept connection-state=established

1 ;;; Accept Related Connections
chain=input action=accept connection-state=related

2 ;;; Drop Invalid Connections
chain=input action=drop connection-state=invalid

3 ;;; Accept Everything from LAN
chain=input action=accept in-interface=ether2-master-local

4 ;;; Drop Everything Else
chain=input action=drop

NAT:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=0.0.0.0
out-interface=ether1-gateway

1 chain=dstnat action=dst-nat to-addresses=192.168.88.50 to-ports=5060
protocol=udp src-address=80.244.65.70 in-interface=ether1-gateway
dst-port=5060

2 chain=dstnat action=dst-nat to-addresses=192.168.88.50
to-ports=10000-10020 protocol=udp src-address=80.244.65.70
in-interface=ether1-gateway dst-port=10000-10020

Is this a correct setting to only allow access from my VoIP-provider at IP: 80.244.65.70

I´m sorry for being a newbie, routeros is far more complicated (and powerful) than any other “plastic” firewall.

BR

jandafields · October 30, 2012, 4:06pm

The NAT rules are allowing the VOIP server to be reached ONLY by that one address. That is correct.

The INPUT rules are fine, but they have nothing to do with protecting the VOIP server.

epkulse · October 30, 2012, 4:16pm

Thanks for your support.

BR

/Uffe