停机后,我更换了一台 IVR 机器来接听来电。它在 ubunutu 10.04 上运行 asterisk 1.4.23。我决定将服务器置于 iptables 后面,因为我的服务器受到了暴力攻击。eth0 是我的私人卡,eth1 是公共卡。
以下是我的规则:
# only allow PING on PRIVATE NET
iptables -A INPUT -p icmp -i eth0 -j ACCEPT
# allow all the lo traffic on loopback.
iptables -A INPUT -i lo -j ACCEPT
# START OPEN PORTS
#=================
#SSH (22)
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
#iptables -A INPUT -p tcp -i eth1 --dport 22 -j ACCEPT
#SAMBA: netbios (139) , microsoft-ds (445) -- only on internal
iptables -A INPUT -p tcp -i eth0 --dport 139 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 445 -j ACCEPT
#ASTERISK
# SIP (UDP 5060)
#Port 5060 must be open for SIP.
#Ports 1024 - 64000 should be open for Media.
#iptables -A INPUT -p tcp -m tcp -i eth1 --dport 5060 -j ACCEPT
#iptables -A INPUT -p udp -m udp -i eth1 --dport 1024:64000 -j ACCEPT
iptables -A INPUT -p udp -m udp -i eth1 --dport 10000:20000 -j ACCEPT
#iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
iptables -A INPUT -p udp -m udp -i eth1 -s xxx.xx.xx.xx --dport 5060 -j ACCEPT
iptables -A INPUT -p udp -m udp -i eth1 -s xx.xx.xx.xxx --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth1 -s xxx.xx.xx.xx --dport 5060 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i eth1 -s xx.xx.xx.xxx --dport 5060 -j ACCEPT
#END ASTERISK
# END OPEN PORTS
#Deny everything else
iptables -A INPUT -p all -i eth1 -j DROP
xxx.xx.xx.xx 和 xx.xx.xx.xxx 是我的 SIP 提供商的 IP,我 ping 了 SIP 域
我们的客户在拨打我们的号码时听到忙音,我检查了日志,发现有各种警告。以下是我在日志中注意到的一些问题:
[Jan 24 05:02:00] WARNING[939] chan_sip.c: Maximum retries exceeded on transmission [email protected] for seqno 102 (Critical Response) -- See doc/sip-retransmit.txt.
[Jan 24 05:02:00] WARNING[939] chan_sip.c: Hanging up call [email protected] - no reply to our critical packet (see doc/sip-retransmit.txt).
[Jan 24 06:29:37] WARNING[939] chan_sip.c: Got 200 OK on REGISTER, but there isn't a registry entry for 'mpdhbf867' (we probably already got the OK)
[Jan 24 06:34:07] WARNING[939] chan_sip.c: Got 200 OK on REGISTER, but there isn't a registry entry for 'mpdhbf867' (we probably already got the OK)
[Jan 24 17:00:32] NOTICE[939] chan_sip.c: -- Registration for '[email protected]' timed out, trying again (Attempt #1)
当我关闭 iptables 时,一切都恢复正常,电话不会掉线或占线。这是一个艰难的权衡,因为我不想让我的服务器对公共互联网开放。我愿意改变
答案1
您缺少一条基于现有流量接受流量的规则(使 iptables 有状态的规则)。这应该是您的第一条规则:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
在此过程中,您还应检查以确保您拥有正确的 IP 地址,以接收您期望的传入 SIP 流量。如果上游提供商更改了这些地址,您就会遇到麻烦。