Community discussions

MikroTik App
 
bbs2web
Member Candidate
Member Candidate
Topic Author
Posts: 232
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

raw firewall rule to filter invalid SIP registrations

Mon Sep 10, 2018 2:41 pm

The 'content' verb for raw firewall rules is not documented on MikroTik's Wiki. We were having problems implementing this using layer7 filters and forward rules and had to resort to using raw filter rules instead.

A client of ours is using a Cisco Call Manager which has been setup incorrectly to register not just for their main number but all extensions within their organisation. This leads to the source IP automatically being firewalled by SIP bruteforce protection structures on our VoIP infrastructure.

What we wanted to do:
  • Allow SIP registration requests for a specific number/user
  • Disallow all other SIP registration requests


Resulting RouterOS raw firewall rules - confirmed to be working as expected:
/ip firewall raw
  add action=accept chain=prerouting comment="SIP Registration - Allow 0112223333:" \
    content="REGISTER\0D\0AContact: <sip:0112223333@" dst-port=5060 in-interface=ether5 protocol=udp src-address=198.19.32.18
  add action=drop chain=prerouting comment="SIP Registration - Deny all others:" \
    content=”REGISTER\0D\0AContact: <sip:” dst-port=5060 in-interface=ether5 protocol=udp src-address=198.19.32.18

NB: Never edit the rule via Winbox! The content rule contains hex values for carriage return (\0D or \r) and line feed (\0A or \n) characters which get interprets when opening and subsequently saving the rules.


This was constructed by reviewing a packet capture of the SIP registration attempts in Wireshark:
Image
 
zonder
just joined
Posts: 1
Joined: Sat May 15, 2021 9:11 pm

Re: raw firewall rule to filter invalid SIP registrations

Sat May 15, 2021 9:40 pm

very useful information !

I used your approach and set few raw rules to allow registrations from particular remote extensions and "add source to list" IPs of other non-legitimate registration requests with following drops of IPs.

This has significantly reduced the number of fake registration attempts and attacks received by Asterisk box being the Mikrotik

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], boocko, kolopeter, Michiganbroadband and 88 guests