That sounds very interesting. I have a customer using AstLinux as Proxy as well. Maybe we could document this in the Wiki?
> Am 27.09.2021 um 02:54 schrieb Lonnie Abelbeck <li...@lonnie.abelbeck.com>: > > Michael, > > The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so > parsing sip.conf using 'sed' or such should be reasonably straightforward. > > BTW, for extra credit, if you combined all the allowed SIP IPs into an ipset > (ex. udp_sip_hosts), you can very efficiently match all of them with only one > rule: > -- > iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp > --dport 5060 -j ACCEPT > -- > That would allow you to rebuild only the "udp_sip_hosts" ipset when the > sip.conf got changed, without rebuilding the firewall. Though requires some > 'ipset' command knowledge, though not complex at all. > > Example 'ipset' usage in AstLinux: > https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 > > If you only use IPv4 a lot of the example can be simplified. > > Lonnie > > > >> On Sep 26, 2021, at 7:17 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >> Thanks Lonnie. >> >> Actually now that I think about it, is there any reason why the custom rule >> could not parse sip.conf for host=<IP Address> and open up all Public IP's? >> It would mean that you would need to restart the firewall every time you >> modified sip.conf but I'm sure we could build this into our portal very >> simply. >> >> Regards >> Michael Knill >> >> On 27/9/21, 9:47 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: >> >> Hi Michael, >> >> With 300 rules and the same across all your boxes, I would use >> /mnt/kd/arno-iptables-firewall/custom-rules to define these. >> >> Very similar to the deny_ext_local() example I posted recently, but the >> reverse ... pass_ext_local() using -j ACCEPT >> >> Without testing, something like ... >> -- >> pass_ext_local() >> { >> local proto="$1" host="$2" port="$3" >> >> echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, >> Port: $port" >> iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT >> } >> ## uncomment to enable ## >> #pass_ext_local udp 1.2.3.4 5060 >> #pass_ext_local tcp 1.2.3.0/24 5061 >> -- >> >> If you only use udp/5060, you could simplify things, maybe only one "echo" >> statement and a variable defining all 300 IPs. Generic shell scripting. >> >> Again untested ... >> -- >> pass_ext_local_udp_sip() >> { >> local host proto="udp" port="5060" IFS >> local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 >> 1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48" >> >> echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts" >> unset IFS >> for host in $sip_hosts; do >> iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT >> done >> } >> pass_ext_local_udp_sip >> -- >> >> Alternatively, you could define the sip_hosts variable with a file if >> desired. >> >> Lonnie >> >> >> >> >> >>> On Sep 26, 2021, at 5:32 PM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>> Hi Group >>> >>> I'm looking to have a large number of firewall entries in Astlinux e.g. >>> 300. They would be all the same e.g. I want to open port 5060 from multiple >>> sites. >>> Is there an easier/neater way to do this other than lots of firewall >>> entries in the Firewall Tab? >>> >>> Regards >>> >>> Michael Knill >>> Managing Director >>> >>> D: +61 2 6189 1360 >>> P: +61 2 6140 4656 >>> E: michael.kn...@ipcsolutions.com.au >>> W: ipcsolutions.com.au Michael http://www.mksolutions.info _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
