[OpenSIPS-Users] pike & exec & iptables

Liviu Chircu liviu at opensips.org
Wed May 23 02:34:29 EDT 2018 

Hi Alexey,

You can extend the shell command with source IP listing/matching logic 
within iptables. For example:

/usr/bin/sudo iptables -t filter -S INPUT | grep -q $si || (/usr/bin/sudo iptables -A INPUT -s $si -p udp -j DROP -m comment --comment 'blacklisted by OpenSIPS' && { echo \"/usr/bin/sudo iptables -D INPUT -s $si -p udp -j DROP -m comment --comment 'blacklisted by OpenSIPS'\" | at now + 5 min; })

If the shell syntax gets too complex and the OpenSIPS script cannot handle it anymore, you should make a wrapper .sh around all the logic, and only feed it parameters.

Best regards,

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 23.05.2018 08:55, Alexey K. via Users wrote:
> Hi all.
>
> I use module pike.so and exec.so to automatically add flooding IP addresses to firewall rejecting rules.
> The code is as follows:
>
> pike_check_req();
>      switch($retcode) {
>          case -2:    # detected once - simply drop the request
>              exit;
>          case -1:    # detected again - ban the IP and drop request
>              exec("/usr/bin/sudo iptables -A INPUT -s $si -p udp -j DROP -m comment --comment 'blacklisted by OpenSIPS' && { echo \"/usr/bin/sudo iptables -D INPUT -s $si -p udp -
> j DROP -m comment --comment 'blacklisted by OpenSIPS'\" | at now + 5 min; }");
>                          exit;
>      }
>
>
> Everything works fine, except that sometimes there are too much iptables entries  are generated, which are the same:
>
> root at deb-node-2:~# iptables -L INPUT -vn --line-numbers
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> num   pkts bytes target     prot opt in     out     source               destination
> 1        0     0 DROP       udp  --  *      *       172.16.0.5           0.0.0.0/0            /* blacklisted by OpenSIPS */
> 2        0     0 DROP       udp  --  *      *       172.16.0.5           0.0.0.0/0            /* blacklisted by OpenSIPS */
> 3        0     0 DROP       udp  --  *      *       172.16.0.5           0.0.0.0/0            /* blacklisted by OpenSIPS */
> ... ... ...
> 87       0     0 DROP       udp  --  *      *       172.16.0.5           0.0.0.0/0            /* blacklisted by OpenSIPS */
>
>
> So I'm trying to understand what is the best way to generate only one iptables rule.
> Is it possible to do with opensips, or the only way is to run some script which will look if there is already an iptables denying rule,
> and if it's true, not to add one more rule.
>
> -----------------------------------------------
> BR, Alexey
> http://alexeyka.zantsev.com/
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list