iptables to hide a port

[cerien]

hello all !

I am running a voip server on port 5060. I want to hide this to all the robots scanning the net permanently - I know this is not enough security - it is just to prevent them from wasting by bandwidth testing all usernames until fail2ban stops them !

I'd like to have port 5060 accepting requests only from 'trusted' hosts, while others (client with dynamic ip) use port 5065 - thus, port 5060 will only appear open for some trusted partners and the bots will skip to something else.

I have setup the iptables rules succesfully to accept only trusted hosts.

-A RH-Firewall-1-INPUT -s 93.x.y.z -p udp -m state --state NEW -m udp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 5060 -j DROP

I've added a PREROUTING NAT rule that change the port from 5065 to 5060 for others - but then, this gets caught in the INPUT rule as port 5060
-A PREROUTING -p udp -m udp --dport 5065 -j DNAT --to-destination 192.168.1.1:5060

This works so well that the packets coming on port 5065 are translated to port 5060 and get caught in the DROP rule...


Any suggestions as to how I could achieve this ?

many thanks

j.

[cerien]

ok... I was struggling because I was editing "live" the tables, and some packets were going through the RELATED rule... by editing the config file and restarting the service, it helped a lot...

what did i do...

1/ create a mangle / prerouting rule that sets a mark to 0x1 for all packets on port 5065 (my hidden public port)

2/ create a nat / prerouting rule to redirect traffic received on *:5070 to myhost:5060

3/ add filter rule:
- accept from known, explicitly defined host on port 5060
- accept packets with mark 0x1
drop the rest

and this works great... so the robots wont find me easily !