Hi … I need to restrict access to my SIP server for all the traffic and allow only like 10 ip addresses.
example: my sip server ( windows machine) has a public ip ( 12.12.12.12).
I have internal clients connected with private addresses (192.168.1.0/24) - I want to allow these.
and I have couple of public ip addresses which i want to allow to have access to my sip server (port 5060)
thnx.
If the SIP server is connected via a RouterOS device - there is nothing in your post that indicates where the server is and how it connects to the world - use the IP firewall filters in the forward chain. Something like below, which makes up a bunch of random networks, and assumes the SIP server is at 10.0.0.2 (real IP address after any NAT).
/ip firewall address-list
add list=permit-sip address=192.168.1.0/24
add list=permit-sip address=172.16.0.0/24
add list=permit-sip address=2.2.2.2
add list=permit-sip address=3.3.3.3
/ip firewall filter
add chain=forward connection-state=established action=accept
add chain=forward connection-state=related action=accept
add chain=forward connection-state=invalid action=drop
add chain=forward src-address-list=permit-sip dst-address=10.0.0.2 action=accept
add chain=forward dst-address=10.0.0.2 action=drop
If that doesn’t help, give more details. Way more details. Preferably a network diagram with accurately labeled devices, links, and IP addresses.
Thnx for your reply:
The server is connected directly into RouterOS, clients are natted to the same RouterOS. (these will be 192.168.1.0/24), clients in my office.
I dont’ want to block the whole traffic to it, I only want to block 5060 SIP traffic.
Then add “protocol=” and “dst-port=” qualifiers to the drop rules.