From 83db4ba8862f67fbdfc8ca4ea27e1a456396b5ba Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Fri, 26 Mar 2021 18:55:20 +0100 Subject: [PATCH] nodes/home.nas: add firewalling for yate sip server --- nodes/home/nas.py | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/nodes/home/nas.py b/nodes/home/nas.py index 1b8f403..73979ff 100644 --- a/nodes/home/nas.py +++ b/nodes/home/nas.py @@ -52,10 +52,34 @@ nodes['home.nas'] = { 'custom_rules': [ # Dell ULNM 'iptables -A INPUT -p tcp --dport 4679 -j ACCEPT', - # mosquitto - 'iptables_both -A INPUT -p tcp --dport 1883 -j ACCEPT', - 'iptables_both -A INPUT -p tcp --dport 8083 -j ACCEPT', ], + 'port_rules': { + '1883': { # mosquitto + '172.19.136.0/25', # wireguard clients, because remote access + '172.19.138.0/24', + }, + '5060': { # yate SIP + 'home.snom-wohnzimmer', + 'home.bubble01', + }, + '5061': { # yate SIPS + 'home.snom-wohnzimmer', + 'home.bubble01', + }, + '8083': { # mosquitto Websocket + '172.19.138.0/24', + }, + # yate RTP uses some random UDP port. We cannot firewall + # it, because for incoming calls the other side decides + # which port to use. That's why we simply allow all UDP + # traffic from our SIP clients. It's fine to do so, because + # all sip clients are known to bundlewrap, so we won't have + # to deal with randomly changing IPs here. + '*/udp': { + 'home.snom-wohnzimmer', + 'home.bubble01', + }, + }, }, 'nfs-server': { 'shares': {