Re: [Astlinux-users] Large number of Firewall entries

Sun, 26 Sep 2021 19:06:39 -0700 

Thanks Lonnie

May even add this to my standard build.

Regards
Michael Knill

On 27/9/21, 10:54 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:

    Michael,

    The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so 
parsing sip.conf using 'sed' or such should be reasonably straightforward.

    BTW, for extra credit, if you combined all the allowed SIP IPs into an 
ipset (ex. udp_sip_hosts), you can very efficiently match all of them with only 
one rule:
    --
    iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp 
--dport 5060 -j ACCEPT
    --
    That would allow you to rebuild only the "udp_sip_hosts" ipset when the 
sip.conf got changed, without rebuilding the firewall.  Though requires some 
'ipset' command knowledge, though not complex at all.

    Example 'ipset' usage in AstLinux:
    
https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275

    If you only use IPv4 a lot of the example can be simplified.

    Lonnie



    > On Sep 26, 2021, at 7:17 PM, Michael Knill 
<michael.kn...@ipcsolutions.com.au> wrote:
    > 
    > Thanks Lonnie.
    > 
    > Actually now that I think about it, is there any reason why the custom 
rule could not parse sip.conf for host=<IP Address> and open up all Public IP's?
    > It would mean that you would need to restart the firewall every time you 
modified sip.conf but I'm sure we could build this into our portal very simply.
    > 
    > Regards
    > Michael Knill
    > 
    > On 27/9/21, 9:47 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
    > 
    >    Hi Michael,
    > 
    >    With 300 rules and the same across all your boxes, I would use 
/mnt/kd/arno-iptables-firewall/custom-rules to define these.
    > 
    >    Very similar to the deny_ext_local() example I posted recently, but 
the reverse ... pass_ext_local() using -j ACCEPT
    > 
    >    Without testing, something like ...
    >    --
    >    pass_ext_local()
    >    {
    >      local proto="$1" host="$2" port="$3"
    > 
    >      echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, 
Port: $port"
    >      iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j 
ACCEPT
    >    }
    >    ## uncomment to enable ##
    >    #pass_ext_local udp 1.2.3.4 5060
    >    #pass_ext_local tcp 1.2.3.0/24 5061
    >    --
    > 
    >    If you only use udp/5060, you could simplify things, maybe only one 
"echo" statement and a variable defining all 300 IPs.  Generic shell scripting.
    > 
    >    Again untested ...
    >    --
    >    pass_ext_local_udp_sip()
    >    {
    >      local host proto="udp" port="5060" IFS
    >      local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 
1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48"
    > 
    >      echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts"
    >      unset IFS
    >      for host in $sip_hosts; do
    >        iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j 
ACCEPT
    >      done
    >    }
    >    pass_ext_local_udp_sip
    >    --
    > 
    >    Alternatively, you could define the sip_hosts variable with a file if 
desired.
    > 
    >    Lonnie
    > 
    > 
    > 
    > 
    > 
    >> On Sep 26, 2021, at 5:32 PM, Michael Knill 
<michael.kn...@ipcsolutions.com.au> wrote:
    >> 
    >> Hi Group
    >> 
    >> I'm looking to have a large number of firewall entries in Astlinux e.g. 
300. They would be all the same e.g. I want to open port 5060 from multiple 
sites.
    >> Is there an easier/neater way to do this other than lots of firewall 
entries in the Firewall Tab?
    >> 
    >> Regards
    >> 
    >> Michael Knill
    >> Managing Director
    >> 
    >> D: +61 2 6189 1360
    >> P: +61 2 6140 4656
    >> E: michael.kn...@ipcsolutions.com.au
    >> W: ipcsolutions.com.au
    >> 
    >> <image001.png>
    >> Smarter Business Communications
    >> 
    >> _______________________________________________
    >> Astlinux-users mailing list
    >> Astlinux-users@lists.sourceforge.net
    >> https://lists.sourceforge.net/lists/listinfo/astlinux-users
    >> 
    >> Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.
    > 
    > 
    > 
    >    _______________________________________________
    >    Astlinux-users mailing list
    >    Astlinux-users@lists.sourceforge.net
    >    https://lists.sourceforge.net/lists/listinfo/astlinux-users
    > 
    >    Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.
    > 
    > 
    > _______________________________________________
    > Astlinux-users mailing list
    > Astlinux-users@lists.sourceforge.net
    > https://lists.sourceforge.net/lists/listinfo/astlinux-users
    > 
    > Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.



    _______________________________________________
    Astlinux-users mailing list
    Astlinux-users@lists.sourceforge.net
    https://lists.sourceforge.net/lists/listinfo/astlinux-users

    Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.


_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to