iptables rule for voip ATA connect to only one IP address

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
student13
DD-WRT User


Joined: 17 Nov 2016
Posts: 91

PostPosted: Tue Jul 06, 2021 6:24    Post subject: iptables rule for voip ATA connect to only one IP address Reply with quote
Hello how can i force my voip ATA to only connect to one ip address inbound and outbound, using IPtables rules.


Thanks.

equipment :
R7800 Netgear nighthawk DD-WRT v3.0-r47000 std (06/28/21)
Voip ATA Grandstream
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12969
Location: Texas, USA

PostPosted: Tue Jul 06, 2021 14:16    Post subject: Reply with quote
Make up our minds which firmware you're running on your ER-X.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
student13
DD-WRT User


Joined: 17 Nov 2016
Posts: 91

PostPosted: Tue Jul 06, 2021 18:47    Post subject: Reply with quote
I own both a R7800 Netgear nighthawk X4S, running DD-WRT v3.0-r47000 std (06/28/21)and an edgerouter-x running edgeOS 2.0.9

I am grateful getting information knowing how to do it on any device . Any information , on iptables rules or any firewall rules on how to make a voip device/client connect only to a SIP server …and nothing else…. would be appreciated.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 12969
Location: Texas, USA

PostPosted: Tue Jul 06, 2021 19:41    Post subject: Reply with quote
As I mentioned in your other post, this forum is not for Ubiquiti firmware. I edited your OP to reflect the correct information. I presume you are not wanting the device to phone home and do any automatic firmware upgrades or risk possibility of being hacked, is that the premise of this post? Did you bother checking the vendor's website and forums?

http://www.grandstream.com/products/gateways-and-atas/analog-telephone-adaptors

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
student13
DD-WRT User


Joined: 17 Nov 2016
Posts: 91

PostPosted: Tue Jul 06, 2021 21:49    Post subject: Reply with quote
kernel-panic69 wrote:
As I mentioned in your other post, this forum is not for Ubiquiti firmware. I edited your OP to reflect the correct information.


I’ll include the rev number in future posts, if it helps.



kernel-panic69 wrote:
I presume you are not wanting the device to phone home and do any automatic firmware upgrades or risk possibility of being hacked, is that the premise of this post?


That is the premise. I just want an iptables rule that will block the device from connecting to ANY address except for my ISP’s SIP server.

As for firmware upgrade , I am sophisticated enough to put a ” # “ in front of iptables rule to stop it, upgrade , then delete “#” off said rule, to re-engage it. Why am I doing this …. the word “security” is very fluid with grandstream .


kernel-panic69 wrote:
Did you bother checking the vendor's website and forums?
http://www.grandstream.com/products/gateways-and-atas/analog-telephone-adaptors


I don’t want to get into the detail but yes I have posted , and I really did not like what I saw. To summarize my issues:

1. Cannot download latest firmware , check sha256/md5/ pgp signature then upload to Device …. Like the device won’t let me upload *anything*….something I take easily for granted with dd-wrt, on grandstream forums people complain about this .

2. They changed the address of the location of firmware for auto update … sort of forgivable .

3. Auto updates don’t even use https , you have to use http , again people complain .

4. Finally got an update and sort of verified through some light shenanigans ( I put direct download path to my browser then checked the file) .

You would think this is over …… but it’s not !

5.After I upgrade and do what a responsible person does ie shut off telnet/ssh/upnp as attack vectors I notice that device is auto connecting to some weird amazon AWS ip on port 3478 automatically , my isp has nothing to do with any STUN server .

6. After much digging I figured out that the engineers were just too idiotic to shut off so they made it connect to a dummy stun server

7. The engineering ticket said something to the effect of did you shut off stun server ….. I never touched that portion of the voip firmware couldn’t find out how to stop it. So figured screw this , find an iptables rule that will fix this once and for all.



Kernel-Panic69 , you seem like a smart guy, can you suggest an iptables rule that i can stick into DD-WRT commands?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum