[OpenSIPS-Users] pike & exec & iptables

Alexey K. kurgan-rus at inbox.ru
Wed May 23 03:57:11 EDT 2018


Hi Liviu,
thank you for an advice.
One more way to solve the problem (though I haven't tested yet) is using (if Linux) 'ipset' utility, adding flooding IP addresses there with options '-exist' and 'timeout'.
http://ipset.netfilter.org/ipset.man.html
--
Отправлено из Mail.Ru для Android среда, 23 мая 2018г., 11:35 +05:00 от Liviu Chircu  liviu at opensips.org :

>Hi Alexey,
>
>You can extend the shell command with source IP listing/matching logic 
>within iptables. For example:
>
>/usr/bin/sudo iptables -t filter -S INPUT | grep -q $si || (/usr/bin/sudo iptables -A INPUT -s $si -p udp -j DROP -m comment --comment 'blacklisted by OpenSIPS' && { echo \"/usr/bin/sudo iptables -D INPUT -s $si -p udp -j DROP -m comment --comment 'blacklisted by OpenSIPS'\" | at now + 5 min; })
>
>If the shell syntax gets too complex and the OpenSIPS script cannot handle it anymore, you should make a wrapper .sh around all the logic, and only feed it parameters.
>
>Best regards,
>
>Liviu Chircu
>OpenSIPS Developer
>http://www.opensips-solutions.com
>
>On 23.05.2018 08:55, Alexey K. via Users wrote:
> Hi all.
>
> I use module pike.so and exec.so to automatically add flooding IP addresses to firewall rejecting rules.
> The code is as follows:
>
> pike_check_req();
> switch($retcode) {
> case -2:    # detected once - simply drop the request
> exit;
> case -1:    # detected again - ban the IP and drop request
> exec("/usr/bin/sudo iptables -A INPUT -s $si -p udp -j DROP -m comment --comment 'blacklisted by OpenSIPS' && { echo \"/usr/bin/sudo iptables -D INPUT -s $si -p udp -
> j DROP -m comment --comment 'blacklisted by OpenSIPS'\" | at now + 5 min; }");
> exit;
> }
>
>
> Everything works fine, except that sometimes there are too much iptables entries  are generated, which are the same:
>
> root at deb-node-2:~# iptables -L INPUT -vn --line-numbers
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> num   pkts bytes target     prot opt in     out     source               destination
> 1        0     0 DROP       udp  --  *      *       172.16.0.5           0.0.0.0/0            /* blacklisted by OpenSIPS */
> 2        0     0 DROP       udp  --  *      *       172.16.0.5           0.0.0.0/0            /* blacklisted by OpenSIPS */
> 3        0     0 DROP       udp  --  *      *       172.16.0.5           0.0.0.0/0            /* blacklisted by OpenSIPS */
> ... ... ...
> 87       0     0 DROP       udp  --  *      *       172.16.0.5           0.0.0.0/0            /* blacklisted by OpenSIPS */
>
>
> So I'm trying to understand what is the best way to generate only one iptables rule.
> Is it possible to do with opensips, or the only way is to run some script which will look if there is already an iptables denying rule,
> and if it's true, not to add one more rule.
>
> -----------------------------------------------
> BR, Alexey
> http://alexeyka.zantsev.com/
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>_______________________________________________
>Users mailing list
>Users at lists.opensips.org
>http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20180523/c617888e/attachment.html>


More information about the Users mailing list