nodes/home.nas: add firewalling for yate sip server

2021-03-26 18:55:20 +01:00 · 2021-03-26 18:55:20 +01:00 · 83db4ba886
parent f98720b57b
commit 83db4ba886
1 changed files with 27 additions and 3 deletions
--- a/nodes/home/nas.py
+++ b/nodes/home/nas.py
@ -52,10 +52,34 @@ nodes['home.nas'] = {
            'custom_rules': [
                # Dell ULNM
                'iptables -A INPUT -p tcp --dport 4679 -j ACCEPT',
-                # mosquitto
-                'iptables_both -A INPUT -p tcp --dport 1883 -j ACCEPT',
-                'iptables_both -A INPUT -p tcp --dport 8083 -j ACCEPT',
            ],
+            'port_rules': {
+                '1883': { # mosquitto
+                    '172.19.136.0/25', # wireguard clients, because remote access
+                    '172.19.138.0/24',
+                },
+                '5060': { # yate SIP
+                    'home.snom-wohnzimmer',
+                    'home.bubble01',
+                },
+                '5061': { # yate SIPS
+                    'home.snom-wohnzimmer',
+                    'home.bubble01',
+                },
+                '8083': { # mosquitto Websocket
+                    '172.19.138.0/24',
+                },
+                # yate RTP uses some random UDP port. We cannot firewall
+                # it, because for incoming calls the other side decides
+                # which port to use. That's why we simply allow all UDP
+                # traffic from our SIP clients. It's fine to do so, because
+                # all sip clients are known to bundlewrap, so we won't have
+                # to deal with randomly changing IPs here.
+                '*/udp': {
+                    'home.snom-wohnzimmer',
+                    'home.bubble01',
+                },
+            },
        },
        'nfs-server': {
            'shares': {