SIP port access for allowlist only

This commit is contained in:
chandi 2020-06-23 00:21:24 +02:00 committed by chandi
parent 7f375832e8
commit 38dbfa8528
4 changed files with 25 additions and 1 deletions

View File

@ -32,6 +32,8 @@ services:
environment: environment:
DOMAIN: ${DOMAIN} DOMAIN: ${DOMAIN}
EXTERNAL_IP: ${EXTERNAL_IP} EXTERNAL_IP: ${EXTERNAL_IP}
SIP_IP_ALLOWLIST: ${SIP_IP_ALLOWLIST}
NETWORK_INTERFACE: ${NETWORK_INTERFACE:-}
volumes: volumes:
- ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external - ./conf/sip_profiles:/etc/freeswitch/sip_profiles/external
- ./conf/dialplan_public:/etc/freeswitch/dialplan/public_docker - ./conf/dialplan_public:/etc/freeswitch/dialplan/public_docker

View File

@ -49,7 +49,8 @@ RUN apt-get update && apt-get install -y \
freeswitch-mod-spandsp \ freeswitch-mod-spandsp \
freeswitch-mod-tone-stream \ freeswitch-mod-tone-stream \
freeswitch-mod-verto \ freeswitch-mod-verto \
freeswitch-sounds-en-us-callie freeswitch-sounds-en-us-callie \
iptables
# Potentially missing # Potentially missing
# (included in bbb-freeswitch-core but not referenced in https://github.com/bigbluebutton/bigbluebutton/issues/9064) # (included in bbb-freeswitch-core but not referenced in https://github.com/bigbluebutton/bigbluebutton/issues/9064)

View File

@ -1,5 +1,20 @@
#!/bin/bash #!/bin/bash
# remove all SIP (port 5060) iptable rules
iptables -S INPUT | grep "\-\-dport 5060 " | cut -d " " -f 2- | xargs -rL1 iptables -D
# block requests to 5060 (tcp/udp)
iptables -A INPUT -i "$NETWORK_INTERFACE" -p tcp --dport 5060 -s 0.0.0.0/0 -j REJECT
iptables -A INPUT -i "$NETWORK_INTERFACE" -p udp --dport 5060 -s 0.0.0.0/0 -j REJECT
# allow some IPs
IFS=',' read -ra ADDR <<< "$SIP_IP_ALLOWLIST"
for IP in "${ADDR[@]}"; do
# process "$i"
echo "allow port 5060/udp for $IP"
iptables -I INPUT -p udp --dport 5060 -s $IP -j ACCEPT
done
dockerize \ dockerize \
-template /etc/freeswitch/vars.xml.tmpl:/etc/freeswitch/vars.xml \ -template /etc/freeswitch/vars.xml.tmpl:/etc/freeswitch/vars.xml \
/usr/bin/freeswitch -u freeswitch -g daemon -nonat -nf /usr/bin/freeswitch -u freeswitch -g daemon -nonat -nf

View File

@ -47,6 +47,12 @@ STUN_PORT=3478
#TURN_SERVER=turns:turn.example.com:443?transport=tcp #TURN_SERVER=turns:turn.example.com:443?transport=tcp
#TURN_SECRET= #TURN_SECRET=
# Allowed SIP IPs
# due to high traffic caused by bots, by default the SIP port is blocked.
# but you can allow access by your providers IP or IP ranges (comma seperated)
# Hint: if you want to allow requests from every IP, you can use 0.0.0.0/0
SIP_IP_ALLOWLIST=
# ==================================== # ====================================
# CUSTOMIZATION # CUSTOMIZATION