Many people are asking us how to secure their Asterisk PBX system. It is fairly obvious to say that closing down your VoIP UDP ports to the world is a good place to start. SIP utilizes port 5060, while IAX2 utilizes port 4569. In most companies, locking down access to these ports from the world is just enough to lock down around 95% of your problems, however, many companies these require that their Asterisk system be accessed from sources outside of their network – usually, accessing from the same country. In our case, we’ve received requests from people asking how to lock down their PBX system, to allow only the Israeli networks to access the PBX system. Using the http://www.find-ip-address.org/ip-country/ website, you can easily obtain a full IP ranges list of your country, regardless of where you are in the world.
We’ve created a copy of that form below:
Now, just select your country from the list above and download the full IP ranges file. You will need a CIDR based file to create a full functional IP tables script. The end result should look like this:
-A RH-Firewall-1-INPUT -m state –state NEW -s 2.52.0.0/14 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 46.19.80.0/21 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 46.31.96.0/21 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 46.36.193.144/28 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 46.116.0.0/15 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 46.120.0.0/15 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 46.136.41.0/24 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 46.136.116.0/24 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 46.183.88.0/21 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 46.210.0.0/16 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.0.0.0/16 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.56.252.0/22 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.90.0.0/17 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.90.128.0/18 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.90.192.0/19 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.90.224.0/20 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.90.240.0/21 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.90.248.0/22 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.90.253.0/24 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.90.254.0/23 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.122.224.0/21 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.128.32.0/19 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.184.18.64/27 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.200.224.0/24 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.200.232.0/24 -m udp -p udp –dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 62.200.234.0/25 -m udp -p udp –dport 5060 -j ACCEPT
The actual list is much larger, it actually has around 1000 entries – other countries may actually have more. Bear in mind that IP ranges that were assigned to different countries may have gaps in them. Thus, if you try to consolidate some of the rows into a single row, you may end up opening access to countries you don’t really want. The concept described can also be applied to other protocols such as HTTP, HTTPS, SSH or any other IP based protocol.
Recent Comments