I migrated from iptables to nftables and like the apparent ease with which one can set up and manage a firewall, but I'm afraid I failed somehow. Below a list of the fail2ban input table, which clearly shows a bunch of people is trying to attack my sip server. Fail2ban has identified them and added them to the 'drop' list, but still I see many of those IP addresses in my Asterisk logs:
Code: Select all
table inet filter {
chain output {
type filter hook output priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain input {
type filter hook input priority 0; policy drop;
ct state invalid drop comment "Drop invalid packets"
ct state { established, related } accept comment "Accept all connections related to connections made by us"
iifname "lo" accept comment "Accept loopback"
iifname != "lo" ip daddr 127.0.0.0/8 drop comment "Drop connections to loopback on ipv4 not coming from loopback"
iifname != "lo" ip6 daddr ::1 drop comment "drop connections to loopback on ipv6 not coming from loopback"
ip protocol icmp accept comment "Accept all icmp types on ipv4"
ip6 nexthdr ipv6-icmp accept comment "Accept all icmp types on ipv6"
tcp dport { sip, sip-tls } accept comment "SIP(S) signalling tcp ports (asterisk)"
udp dport { sip, sip-tls } accept comment "SIP(S) signalling udp ports (asterisk)"
counter packets 21345 bytes 2997678 comment "Count dropped packets"
}
}
table inet fail2ban {
set f2b-asterisk-tcp {
type ipv4_addr
elements = { 45.143.220.32, 46.105.112.190,
46.105.113.12, 51.255.73.90,
51.255.73.91, 54.36.109.97,
62.173.139.214, 62.173.147.221,
103.145.12.184, 103.145.12.207,
103.253.42.57, 156.96.62.38,
156.96.117.166, 156.96.117.168,
156.96.128.167, 156.96.156.71,
167.114.17.187, 173.231.57.210,
176.65.12.128, 176.67.80.9,
185.53.88.221, 185.153.180.73,
192.227.132.22 }
}
set f2b-asterisk-udp {
type ipv4_addr
elements = { 45.143.220.32, 46.105.112.190,
46.105.113.12, 51.255.73.90,
51.255.73.91, 54.36.109.97,
62.173.139.214, 62.173.147.221,
103.145.12.184, 103.145.12.207,
103.253.42.57, [color=#800000]156.96.62.38[/color],
156.96.117.166, 156.96.117.168,
156.96.128.167, [color=#800000]156.96.156.71[/color],
167.114.17.187, 173.231.57.210,
176.65.12.128, 176.67.80.9,
185.53.88.221, 185.153.180.73,
192.227.132.22 }
}
chain input {
type filter hook input priority 100; policy accept;
meta l4proto tcp meta nfproto ipv4 ip saddr @f2b-asterisk-udp [color=#0000FF]drop[/color]
meta l4proto tcp meta nfproto ipv4 ip saddr @f2b-asterisk-tcp [color=#0000FF]drop[/color]
}
}
Code: Select all
NOTICE[27842]: Request 'INVITE' from '<sip:505@...>' failed for '[color=#800000]156.96.62.38[/color]:49260' (callid: ...) - No matching endpoint found
NOTICE[27842]: Request 'INVITE' from '<sip:1611@...>' failed for '[color=#800000]156.96.156.71[/color]:57496' (callid: ...) - No matching endpoint found
Thx!