返回列表 發帖

RouterOS and asterisk

As a result of constantly attacks to my IP01, I am planning to set up a firewall in the middle.
Bought RB750G last summer and haven't used it (planned as VPN client but never succeeded). It seems to be much advanced than home router.

Anyone has experience with RouterOS and asterisk setup for the following (basic) objectives?
1. Protect IP01 from attacks.
2. IP01 works as before(outside normal users should be able to access my IP01).


Currently, I set
1. allowguests=no
2. simple error "No matching peer found" is given

However, the attacks come always back a few days after changing ip address with 30 register trials per minutes. IP01 cannot work properly as CPU load is too high


本帖最後由 Qnewbie 於 2012-1-9 22:13 編輯

回復 8# 雯雯

The file is corrupted The VPN does not work, yet.

I set up the RB750G in the frontline. Put port forwarding rules for 5060 & 10000-20000. All traffic from intruders' ip are dropped.
Both incoming call and outgoing call work!

Add the block-list by hand. Missing the dynamic black-list add-on feature as fail2ban.


Mask your outgoing packets as from the WAN:
/ip firewall src-nat add action=masquerade out-interface=WAN

Port forwarding for 5060 & 10000-20000(IP01 ip is
/ip firewall nat add chain=dstnat protocol=udp dst-port=5060 action=dst-nat to-addresses= to-ports=5060
/ip firewall nat add chain=dstnat protocol=udp dst-port=10000-20000 action=dst-nat to-addresses= to-ports=10000-20000

Drop intruders(range, add more as you find more):
/ip firewall address-list add list=blacklist address=
/ip firewall filter add chain=input src-address-list=blacklist action=drop


本帖最後由 Qnewbie 於 2012-5-31 06:14 編輯

As the black_list of hacker's ip addresses increases, it is hard to handle it.

Let's think the opposite: white list! I have 10 sip providers and a few extensions. Hence this white list would be much easier to handle.  

Divide the white-list into two groups:
#1. DNS resolvable, like, sip providers, your client's dyndns address(es) etc.
#2. Static ip addresses, like your local ip address pool. (which cannot be find out through DNS)

For the DNS resolvable group:
Copy the script from RouterOS's wiki(http://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules, be aware of the Ooops too):
/system script add \
   name=resolvehostnames policy=write,read \
   source="# define variables\r\
   \n:local list\r\
   \n:local comment\r\
   \n:local newip\r\
   \n# Loop through each entry in the address list.\r\
   \n:foreach i in=[/ip firewall address-list find] do={\r\
   \n# Get the first five characters of the list name\r\
   \n  :set list [:pick [/ip firewall address-list get \$i list] 0 5]\r\
   \n# If they're 'host_', then we've got a match - process it\r\
   \n  :if (\$list = \"host_\") do={\r\
   \n# Get the comment for this address list item (this is the host name to u\
   \n    :set comment [/ip firewall address-list get \$i comment]\r\
   \n# Resolve it and set the address list entry accordingly.\r\
   \n    :set newip [:resolve \$comment]\r\
   \n    /ip firewall address-list set \$i address=\$newip\r\
   \n    }\r\
   \n  }"

And scheduler(run each hour, you can change the frequency if you like):
/system scheduler add \
   comment="" disabled=no interval=1h name=updatehostnames on-event=resolvehostnames \
   start-date=jan/01/1970 start-time=00:00:00

Add your host name to your list(listname must started with host_), for instance, you like to add mouselike.org to your list host_allowedlist:
/ip firewall address-list add address= comment=mouselike.org list=host_allowedlist

After you add all your host names to the list, run the script resolvehostnames.

For the static ip addresses, just use address-list add command. For instance, you add your IP01( to allowed_staticiplist:
/ip firewall address-list add address= comment=IP01 list=allowed_staticiplist

Done for adding allowed ip address list!

Next step is to allow white list to use port 5060(The first statement is to put all udp 5060 to extra control chain named allowedsip):
/ip firewall filter add chain=forward action=jump jump-target=allowedsip protocol=udp dst-port=5060
/ip firewall filter add chain=allowedsip action=accept protocol=udp src-address-list=host_allowedlist dst-port=5060
/ip firewall filter add chain=allowedsip action=accept protocol=udp src-address-list=allowed_staticiplist dst-port=5060

And drop all others!
/ip firewall filter add chain=allowedsip action=drop

Now those are not in the allowed list would not be able to launch attack through udp port 5060!


本帖最後由 Qnewbie 於 2012-6-8 22:28 編輯

Hope the white-list protection works.

Another field is the QoS. As ADSL, the bandwidth is always a problem(OK, for those who has dual-wan, 100M etc., plz ignore this issue). Following the wiki from Mikrotik. Here is my QoS setup:
1. Mark packets.
2. Define queue tree.
3. Define priority in queue tree.

1. For RTP traffic, it is hard to mark with layer 7 protocol. I simply mark the packets to/from the asterisk ip(here is as voip_in and voip_out.
/ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=voip_in passthrough=no  dst-address= in-interface=WAN
add chain=postrouting action=mark-packet new-packet-mark=voip_out passthrough=no  src-address= out-interface=WAN

Other traffic is marked by
/ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=others_in passthrough=no in-interface=WAN
add chain=postrouting action=mark-packet new-packet-mark=others_out passthrough=no out-interface=WAN

2. Define your queue tree:
Note: change Max upload and download speed under DSL_IN(11M in) and DSL_OUT(600k out) (global-in gloabal-out) after your xDSL:
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=\
   10000000 max-limit=11000000 name=DSL_IN packet-mark="" parent=global-in \
   priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=500000 \
   max-limit=600000 name=DSL_OUT packet-mark="" parent=global-out priority=1 \

3. Define your priorities:
/queue tree
add name=voip_in packet-mark=voip_in parent=DSL_IN priority=3
add name=voip_out packet-mark=voip_out parent=DSL_OUT priority=3
add name=remaining_in packet-mark=others_in parent=DSL_IN priority=6
add name=remaining_out packet-mark=others_out parent=DSL_OUT priority=6

The drawback with this QoS is the memory is shrinking with 2M(12M left)!

http://wiki.mikrotik.com/wiki/Ba ... n_layer-7_protocols


The marking of outgoing rtp works, but not the incoming rtp as the rtp stream is from another ip...

This QoS is not perfect...


回復 17# 角色

    No more monkey jumping in the bed, I mean the white-list method DOES give a better protection to my asterisk server. However, it has its main drawback, i.e., all users must be in the white-list.
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610


回復 19# 角色

    It works with hostnames too. However it needs frequently(typ. 10 min.) running script to resolve the hostnames.
The white-list starts with the "host_" string and hostnames are "hided" within the comments.
See https://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules

Be aware of the Caveat too.
RB750G, RB2011UAS-2HnD
IP01, A580IP, AT-610

