This may be a little off topic, but a while ago I decided to lock down port 5061 and only let in known IP addresses... which might change, so I needed to open based on DNS lookup. Be aware that DNS service may not be up yet when the firewall custom rules are executed, especially on system boot.
My solution was to spawn a background shell task within custom rules (ampersand after brackets ( code ) & ) which waited for DNS to successfully resolve a known URL (like google.com) and when that worked then resolve my desired DNS into a list of IP and then set the rule.... or timeout and log error message. I have also used ipsets but only with ip route not with iptables. It does indeed provide a very useful way of dynamically managing a list of IP addresses without having to change the ip route rules (or in this case the iptables rules). David On Mon, Sep 27, 2021 at 6:33 AM Michael Keuter <li...@mksolutions.info> wrote: > That sounds very interesting. I have a customer using AstLinux as Proxy as > well. > Maybe we could document this in the Wiki? > > > Am 27.09.2021 um 02:54 schrieb Lonnie Abelbeck < > li...@lonnie.abelbeck.com>: > > > > Michael, > > > > The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, > so parsing sip.conf using 'sed' or such should be reasonably > straightforward. > > > > BTW, for extra credit, if you combined all the allowed SIP IPs into an > ipset (ex. udp_sip_hosts), you can very efficiently match all of them with > only one rule: > > -- > > iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp > --dport 5060 -j ACCEPT > > -- > > That would allow you to rebuild only the "udp_sip_hosts" ipset when the > sip.conf got changed, without rebuilding the firewall. Though requires > some 'ipset' command knowledge, though not complex at all. > > > > Example 'ipset' usage in AstLinux: > > > https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 > > > > If you only use IPv4 a lot of the example can be simplified. > > > > Lonnie > > > > > > > >> On Sep 26, 2021, at 7:17 PM, Michael Knill < > michael.kn...@ipcsolutions.com.au> wrote: > >> > >> Thanks Lonnie. > >> > >> Actually now that I think about it, is there any reason why the custom > rule could not parse sip.conf for host=<IP Address> and open up all Public > IP's? > >> It would mean that you would need to restart the firewall every time > you modified sip.conf but I'm sure we could build this into our portal very > simply. > >> > >> Regards > >> Michael Knill > >> > >> On 27/9/21, 9:47 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> > wrote: > >> > >> Hi Michael, > >> > >> With 300 rules and the same across all your boxes, I would use > /mnt/kd/arno-iptables-firewall/custom-rules to define these. > >> > >> Very similar to the deny_ext_local() example I posted recently, but > the reverse ... pass_ext_local() using -j ACCEPT > >> > >> Without testing, something like ... > >> -- > >> pass_ext_local() > >> { > >> local proto="$1" host="$2" port="$3" > >> > >> echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, > Port: $port" > >> iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j > ACCEPT > >> } > >> ## uncomment to enable ## > >> #pass_ext_local udp 1.2.3.4 5060 > >> #pass_ext_local tcp 1.2.3.0/24 5061 > >> -- > >> > >> If you only use udp/5060, you could simplify things, maybe only one > "echo" statement and a variable defining all 300 IPs. Generic shell > scripting. > >> > >> Again untested ... > >> -- > >> pass_ext_local_udp_sip() > >> { > >> local host proto="udp" port="5060" IFS > >> local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 > 1.22.33.43 1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48" > >> > >> echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts" > >> unset IFS > >> for host in $sip_hosts; do > >> iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j > ACCEPT > >> done > >> } > >> pass_ext_local_udp_sip > >> -- > >> > >> Alternatively, you could define the sip_hosts variable with a file if > desired. > >> > >> Lonnie > >> > >> > >> > >> > >> > >>> On Sep 26, 2021, at 5:32 PM, Michael Knill < > michael.kn...@ipcsolutions.com.au> wrote: > >>> > >>> Hi Group > >>> > >>> I'm looking to have a large number of firewall entries in Astlinux > e.g. 300. They would be all the same e.g. I want to open port 5060 from > multiple sites. > >>> Is there an easier/neater way to do this other than lots of firewall > entries in the Firewall Tab? > >>> > >>> Regards > >>> > >>> Michael Knill > >>> Managing Director > >>> > >>> D: +61 2 6189 1360 > >>> P: +61 2 6140 4656 > >>> E: michael.kn...@ipcsolutions.com.au > >>> W: ipcsolutions.com.au > > > Michael > > http://www.mksolutions.info > > > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org.
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
