forked from extern/docker
SIP port access for allowlist only
This commit is contained in:
parent
7f375832e8
commit
38dbfa8528
@ -32,6 +32,8 @@ services:
|
|||||||
environment:
|
environment:
|
||||||
DOMAIN: ${DOMAIN}
|
DOMAIN: ${DOMAIN}
|
||||||
EXTERNAL_IP: ${EXTERNAL_IP}
|
EXTERNAL_IP: ${EXTERNAL_IP}
|
||||||
|
SIP_IP_ALLOWLIST: ${SIP_IP_ALLOWLIST}
|
||||||
|
NETWORK_INTERFACE: ${NETWORK_INTERFACE:-}
|
||||||
volumes:
|
volumes:
|
||||||
- ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external
|
- ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external
|
||||||
- ./conf/dialplan_public:/etc/freeswitch/dialplan/public_docker
|
- ./conf/dialplan_public:/etc/freeswitch/dialplan/public_docker
|
||||||
|
@ -49,7 +49,8 @@ RUN apt-get update && apt-get install -y \
|
|||||||
freeswitch-mod-spandsp \
|
freeswitch-mod-spandsp \
|
||||||
freeswitch-mod-tone-stream \
|
freeswitch-mod-tone-stream \
|
||||||
freeswitch-mod-verto \
|
freeswitch-mod-verto \
|
||||||
freeswitch-sounds-en-us-callie
|
freeswitch-sounds-en-us-callie \
|
||||||
|
iptables
|
||||||
|
|
||||||
# Potentially missing
|
# Potentially missing
|
||||||
# (included in bbb-freeswitch-core but not referenced in https://github.com/bigbluebutton/bigbluebutton/issues/9064)
|
# (included in bbb-freeswitch-core but not referenced in https://github.com/bigbluebutton/bigbluebutton/issues/9064)
|
||||||
|
@ -1,5 +1,20 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
# remove all SIP (port 5060) iptable rules
|
||||||
|
iptables -S INPUT | grep "\-\-dport 5060 " | cut -d " " -f 2- | xargs -rL1 iptables -D
|
||||||
|
|
||||||
|
# block requests to 5060 (tcp/udp)
|
||||||
|
iptables -A INPUT -i "$NETWORK_INTERFACE" -p tcp --dport 5060 -s 0.0.0.0/0 -j REJECT
|
||||||
|
iptables -A INPUT -i "$NETWORK_INTERFACE" -p udp --dport 5060 -s 0.0.0.0/0 -j REJECT
|
||||||
|
|
||||||
|
# allow some IPs
|
||||||
|
IFS=',' read -ra ADDR <<< "$SIP_IP_ALLOWLIST"
|
||||||
|
for IP in "${ADDR[@]}"; do
|
||||||
|
# process "$i"
|
||||||
|
echo "allow port 5060/udp for $IP"
|
||||||
|
iptables -I INPUT -p udp --dport 5060 -s $IP -j ACCEPT
|
||||||
|
done
|
||||||
|
|
||||||
dockerize \
|
dockerize \
|
||||||
-template /etc/freeswitch/vars.xml.tmpl:/etc/freeswitch/vars.xml \
|
-template /etc/freeswitch/vars.xml.tmpl:/etc/freeswitch/vars.xml \
|
||||||
/usr/bin/freeswitch -u freeswitch -g daemon -nonat -nf
|
/usr/bin/freeswitch -u freeswitch -g daemon -nonat -nf
|
||||||
|
@ -47,6 +47,12 @@ STUN_PORT=3478
|
|||||||
#TURN_SERVER=turns:turn.example.com:443?transport=tcp
|
#TURN_SERVER=turns:turn.example.com:443?transport=tcp
|
||||||
#TURN_SECRET=
|
#TURN_SECRET=
|
||||||
|
|
||||||
|
# Allowed SIP IPs
|
||||||
|
# due to high traffic caused by bots, by default the SIP port is blocked.
|
||||||
|
# but you can allow access by your providers IP or IP ranges (comma seperated)
|
||||||
|
# Hint: if you want to allow requests from every IP, you can use 0.0.0.0/0
|
||||||
|
SIP_IP_ALLOWLIST=
|
||||||
|
|
||||||
|
|
||||||
# ====================================
|
# ====================================
|
||||||
# CUSTOMIZATION
|
# CUSTOMIZATION
|
||||||
|
Loading…
Reference in New Issue
Block a user