Page 1 of 1

Deny/Allow Host Access

Posted: 2017/12/21 01:04:39
by wotexbpo
Hello All.

I am a newbie and have little to no knowledge about CentOS. I have a dedicated server with CentOS 6 installed. I have installed a VoIP application in the server. Now, my goal is to deny access to public and only allow access to certain IP's.

How i can make this happen. any help would be appreciated.


Thanks in Advance!

Re: Deny/Allow Host Access

Posted: 2018/01/13 01:58:36
by Chirpychirps77
Hi,

Quick and dirty would be to ensure tcpwrappers is installed, then set up your /etc/hosts.allow and /etc/hosts.deny files.

If you need further guidance, let me know and I'll elaborate when I'm at a system.

Re: Deny/Allow Host Access

Posted: 2018/01/13 10:51:44
by TrevorH
You'll need to add iptables rules to allow the relevant ports. Usually it's only required to open UDP port 5060 (assuming you use the standard SIP port) and also load nf_conntrack_sip. So add a rule to your existing ones like this (but amend the xx to the line number in your existing rules where you want the new rule to go). It should go after the existing rule that you should have that allows RELATED,ESTABLISHED connections as that handles all the other ports that SIP will need.

Code: Select all

iptables -I INPUT xx -p udp -s 1.2.3.0/24 -m state --state NEW -m udp --dport 5060 -j ACCEPT
If you have more than one ip address/subnet to allow then you'll need to add more rules for each one. If there are lots of them then it may be easier to maintain and more efficient to use an ipset instead - post back if you need to know how.

Also edit /etc/sysconfig/iptables-config and add nf_conntrack_sip to the IPTABLES_MODULES="" line so that it's loaded when iptables starts up. For testing you can just run modprobe nf_conntrack_sip.

If you use a non-standard SIP port other than 5060 then you'll need to change the rule you add to allow the correct port and also tell nf_conntrack_sip about it by passing it the "ports=" parameter. The easy way to do this automatically is to create a file called say /etc/modprobe.d/nf_conntrack_sip.conf containing something like

Code: Select all

options nf_conntrack_sip ports=5070,5080