Re: [Astlinux-users] Large number of Firewall entries

Sun, 26 Sep 2021 17:17:29 -0700 

Thanks Lonnie.

Actually now that I think about it, is there any reason why the custom rule 
could not parse sip.conf for host=<IP Address> and open up all Public IP's?
It would mean that you would need to restart the firewall every time you 
modified sip.conf but I'm sure we could build this into our portal very simply.

Regards
Michael Knill

On 27/9/21, 9:47 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:

    Hi Michael,

    With 300 rules and the same across all your boxes, I would use 
/mnt/kd/arno-iptables-firewall/custom-rules to define these.

    Very similar to the deny_ext_local() example I posted recently, but the 
reverse ... pass_ext_local() using -j ACCEPT

    Without testing, something like ...
    --
    pass_ext_local()
    {
      local proto="$1" host="$2" port="$3"

      echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, Port: 
$port"
      iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT
    }
    ## uncomment to enable ##
    #pass_ext_local udp 1.2.3.4 5060
    #pass_ext_local tcp 1.2.3.0/24 5061
    --

    If you only use udp/5060, you could simplify things, maybe only one "echo" 
statement and a variable defining all 300 IPs.  Generic shell scripting.

    Again untested ...
    --
    pass_ext_local_udp_sip()
    {
      local host proto="udp" port="5060" IFS
      local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 
1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48"

      echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts"
      unset IFS
      for host in $sip_hosts; do
        iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT
      done
    }
    pass_ext_local_udp_sip
    --

    Alternatively, you could define the sip_hosts variable with a file if 
desired.

    Lonnie





    > On Sep 26, 2021, at 5:32 PM, Michael Knill 
<michael.kn...@ipcsolutions.com.au> wrote:
    > 
    > Hi Group
    >  
    > I'm looking to have a large number of firewall entries in Astlinux e.g. 
300. They would be all the same e.g. I want to open port 5060 from multiple 
sites.
    > Is there an easier/neater way to do this other than lots of firewall 
entries in the Firewall Tab?
    >  
    > Regards
    >  
    > Michael Knill
    > Managing Director
    >  
    > D: +61 2 6189 1360
    > P: +61 2 6140 4656
    > E: michael.kn...@ipcsolutions.com.au
    > W: ipcsolutions.com.au
    >  
    >  <image001.png>
    > Smarter Business Communications
    >  
    > _______________________________________________
    > Astlinux-users mailing list
    > Astlinux-users@lists.sourceforge.net
    > https://lists.sourceforge.net/lists/listinfo/astlinux-users
    > 
    > Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.



    _______________________________________________
    Astlinux-users mailing list
    Astlinux-users@lists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/astlinux-users

    Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.


_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to