Nothing seemed to work. at this point I could not connect. i realized I had Egress Firewall with all my ports (not reading that ports added would block LOL)


I will retry and post my results

You should be able to do more or less what is in your links. You can do -m string ..." but you must specify an algorithm. You can try the hashlimit.

You need to be aware of some things.
INPUT rules are for traffic destined for ClearOS, so if ClearOS were running your SIP software. FORWARD rules are for traffic passind through ClearOS from LAN to WAN or WAN to LAN. This is why the INPUT rules did noting for you.
Rule ordering is important. If you look at a firewall listing ("iptables -nvL") then rules in each chain are processed from top to bottom and rule processing stops when the first match is made (apart from a few exceptions such as -j LOG). This is why I inserted the drop rules before the accept rules as the insert command inserts into the top of the table. The first rule in your custom rules gets added at the top then the second gets added at the top so above the first and so on. To add to the bottom use -A instead of -I.

I do not know KVM set ups. I have a play VM but it is really noddy with NAT'd LAN and WAN interfaces rather than bridged.

My DSL isp ip range does not get a ton of action so I am still awaiting not seen anything yet. was not sure if I was to use ppp0 but when I looked I was unable to see what my device is. note I am running this in a hypervisor (KVM)

I Have 4 network ports and am unsure how to get a shell up so I could ipconfig or ip addr show
in the ip address section all it showed was ppp0 so thats what I used.

Since this router allows direct iptable rules does it support hashlimit It would be nice to do iptables -A INPUT -m string --string "REGISTER sip:" and have a limit on it

I am looking at this for reference
https://wiki.freeswitch.org/wiki/QoS

and this one seems to list allot of the common scanner names.
http://ithelpblog.com/voice/prevent-or-deny-sip-dos-attack-sip-scanner-by-iptables-firewall/

That is why I questioned where the SIP server was. If it is behind ClearOS, change INPUT to FORWARD in your rules. I am not 100% confident here as I can't remember what the port forwarding rules do in the nat table. If it does not work, there is a messier work round.

must not be working I tried what you said went to custom firewall added the rules for the two ip address . My voip provider is voip.ms they list there servers separately they are not doing any srv dns stuff and are very open about what server is what and they have servers all over for less lag .


I added in the rules in the morning and waited just got my first hit..

[2014-11-27 20:59:51] NOTICE[27196] chan_sip.c: Registration from '"100" <sip:100@23.91.135.136:5060>' failed for '37.75.209.87:11537' - Wrong password

[2014-11-27 20:59:52] NOTICE[27196] chan_sip.c: Registration from '"298" <sip:298@23.91.135.136:5060>' failed for '37.75.209.87:11525' - Wrong password

here is the rules I added

iptables -I INPUT -i ppp0 -p tcp --dport 5060 -m state --state NEW -j DROP

iptables -I INPUT -i ppp0 -p udp -m multiport --dports 5060,10000:20000 -m state --state NEW -j DROP

iptables -I INPUT -i ppp0 -s 1xx.xxx.xxx.xx1 -p tcp --dport 5060 -j ACCEPT

iptables -I INPUT -i ppp0 -s 1xx.xxx.xxx.xx1 -p udp -m multiport --dports 5060,10000:20000 -j ACCEPT

iptables -I INPUT -i ppp0 -s 2xx.xxx.xxx.xx2 -p tcp --dport 5060 -j ACCEPT

iptables -I INPUT -i ppp0 -s 2xx.xxx.xxx.xx2 -p udp -m multiport --dports 5060,10000:20000 -j ACCEPT

technically I do not want anything to get in is it because I have rules allowing access to the ports in the port forwarding part?

it would be nice to have a way to port forward that allows me to restrict in the web interface to the source
Only other worry is is this natting properly seems to work.. but then again does not seem to be restricted at all.

So i have dsiabled the port forwards for the 5060 in sip , udp and tcp (I made two forwards, i left rtp ports alone) it seems to work I guess will have to wait to see if anyone can get in I do not get alot of action but I get hit ever week at least.. so now to wait I guess.

Unless your SIP provider uses a single address range for his IP's you are going to need to run multiple rules, one for each IP address or range. Also is Asterisk running on ClearOS or on a server behind ClearOS? It changes the rules required. If it is running on ClearOS, try:

iptables -I INPUT -i ethX -p tcp --dport 5060 -m state --state NEW -j DROP

iptables -I INPUT -i ethX -p udp -m multiport --dports 5060,10000:20000 -m state --state NEW -j DROP

iptables -I INPUT -i ethX -s your_sip_provider_IP -p tcp --dport 5060 -j ACCEPT

iptables -I INPUT -i ethX -s your_sip_provider_IP -p udp -m multiport --dports 5060,10000:20000 -j ACCEPT

Change ethX to your WAN interface. Repeat the last two rules as often as needed. If your SIP provider uses an address block you can specify it in CIDR form as the source IP. Check the rules at the command line first then if they work add them to the custom firewall module or /etc/clearos/firewall.d/local. I am not sure you need the "-m state --state NEW" but it won't harm.

Rule ordering is important with the block rules going at the top of the list. They get added to iptables in that order so, if you then do an iptables listing the drop rules will ed up below the accept rules.