iptables to hide a port
hello all !
I am running a voip server on port 5060. I want to hide this to all the robots scanning the net permanently - I know this is not enough security - it is just to prevent them from wasting by bandwidth testing all usernames until fail2ban stops them !
I'd like to have port 5060 accepting requests only from 'trusted' hosts, while others (client with dynamic ip) use port 5065 - thus, port 5060 will only appear open for some trusted partners and the bots will skip to something else.
I have setup the iptables rules succesfully to accept only trusted hosts.
-A RH-Firewall-1-INPUT -s 93.x.y.z -p udp -m state --state NEW -m udp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 5060 -j DROP
I've added a PREROUTING NAT rule that change the port from 5065 to 5060 for others - but then, this gets caught in the INPUT rule as port 5060
-A PREROUTING -p udp -m udp --dport 5065 -j DNAT --to-destination 192.168.1.1:5060
This works so well that the packets coming on port 5065 are translated to port 5060 and get caught in the DROP rule...
Any suggestions as to how I could achieve this ?
ok... I was struggling because I was editing "live" the tables, and some packets were going through the RELATED rule... by editing the config file and restarting the service, it helped a lot...
what did i do...
1/ create a mangle / prerouting rule that sets a mark to 0x1 for all packets on port 5065 (my hidden public port)
2/ create a nat / prerouting rule to redirect traffic received on *:5070 to myhost:5060
3/ add filter rule:
- accept from known, explicitly defined host on port 5060
- accept packets with mark 0x1
drop the rest
and this works great... so the robots wont find me easily !