+1 vote
by
I do not understand what's wrong, in iptable subnet blocked, to the Aster continue to pass and invites and requests for registration

iptables -L -n -v
Chain INPUT (policy ACCEPT 339 packets, 27808 bytes)
pkts bytes target prot opt in out source destination
13 5871 f2b-asterisk-udp udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060,5061
0 0 f2b-asterisk-tcp tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5060,5061
322 20348 f2b-sshd tcp -- * * 0.0.0.0/0
0 0 DROP all -- * * 185.108.0.0/16
0 0 DROP all -- * * 167.114.0.0/16 0.0.0.0/0
Chain f2b-asterisk-tcp (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 185.108.106.250 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0

Chain f2b-asterisk-udp (1 references)
pkts bytes target prot opt in out source destination
2 745 REJECT all -- * * 185.108.106.250 0.0.0.0/0 reject-with icmp-port-unreachable
11 5126 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
sngrep
^Idx Method     SIP From                  SIP To                    Msgs  Source                 Destination
│ [ ] 14 REGISTER 9774@ip_astera 9774@ip_astera 1 185.108.106.250:56924 ip_astera:5060
│ [ ] 15 REGISTER 8226@ip_astera 8226@ip_astera 1 185.108.106.250:51935 ip_astera:5060
│ [ ] 16 SUBSCRIBE 101@ip_astera 101@ip_astera 2 ip_office:5060 ip_astera:5060
│ [ ] 17 INVITE 8401@ip_astera 000441902933818@51.38.131 12 167.114.17.187:51076 ip_astera:5060
CentOS 3.10.0-1062.12.1.el7.x86_64 GNU/Linux CHEADNT? Where to dig?

3 Answers

0 votes
by
 
Best answer
Chain INPUT (policy ACCEPT 339 packets, 27808 bytes)

ACCEPT - your default policy is "ENABLE".

This is a bad practice, it is more correct to do the opposite. Ban everything and allow only certain networks.
0 votes
by
Aster on the same host?
by
yes, all actions are performed from ip_astera
+1 vote
by
Maybe the connections are already hanging. They may even be on the router.
by
lexx633 It means that the firewall works, it is strange that the invites pass, maybe the router needs to be restarted. Theoretically should not help, but to be sure all sessions are broken.
by
Alexander Semenenko No, only from the allowed
by
Is it pinged from another IP with these rules?
by
restarted the server, stopped f2b
added only 1 rule and 1 policy from scratch
-A INPUT -s 1.2.3.4 -j ACCEPT / the IP from which I connect to the server
-P INPUT DROP
And even so, the invites go through
How can that be?
...