Hi All Merry Christmas and Happy New Year. Just rejuvenating this thread as I am building our new softswitch and playing with ipset as you offered below. We have done the following:
Using CLI: ipset create udp_sip_hosts hash:ip ipset add udp_sip_hosts <IP Address> In custom-rules.conf iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT It all seems to work fine but I obviously am an iptables noob as I have no idea what to do when I make changes to the ipset as it does not change even after a firewall restart. I'm sure there is something I need to do which will get iptables to reread the ipset? Thanks guys. Regards Michael Knill On 27/9/2021, 10:54 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com <mailto:li...@lonnie.abelbeck.com>> wrote: Michael, The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so parsing sip.conf using 'sed' or such should be reasonably straightforward. BTW, for extra credit, if you combined all the allowed SIP IPs into an ipset (ex. udp_sip_hosts), you can very efficiently match all of them with only one rule: -- iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT -- That would allow you to rebuild only the "udp_sip_hosts" ipset when the sip.conf got changed, without rebuilding the firewall. Though requires some 'ipset' command knowledge, though not complex at all. Example 'ipset' usage in AstLinux: https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> If you only use IPv4 a lot of the example can be simplified. Lonnie > On Sep 26, 2021, at 7:17 PM, Michael Knill <michael.kn...@ipcsolutions.com.au > <mailto:michael.kn...@ipcsolutions.com.au>> wrote: > > Thanks Lonnie. > > Actually now that I think about it, is there any reason why the custom rule > could not parse sip.conf for host=<IP Address> and open up all Public IP's? > It would mean that you would need to restart the firewall every time you > modified sip.conf but I'm sure we could build this into our portal very > simply. > > Regards > Michael Knill > > On 27/9/21, 9:47 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com > <mailto:li...@lonnie.abelbeck.com>> wrote: > > Hi Michael, > > With 300 rules and the same across all your boxes, I would use > /mnt/kd/arno-iptables-firewall/custom-rules to define these. > > Very similar to the deny_ext_local() example I posted recently, but the > reverse ... pass_ext_local() using -j ACCEPT > > Without testing, something like ... > -- > pass_ext_local() > { > local proto="$1" host="$2" port="$3" > > echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, Port: > $port" > iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT > } > ## uncomment to enable ## > #pass_ext_local udp 1.2.3.4 5060 > #pass_ext_local tcp 1.2.3.0/24 5061 > -- > > If you only use udp/5060, you could simplify things, maybe only one "echo" > statement and a variable defining all 300 IPs. Generic shell scripting. > > Again untested ... > -- > pass_ext_local_udp_sip() > { > local host proto="udp" port="5060" IFS > local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 > 1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48" > > echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts" > unset IFS > for host in $sip_hosts; do > iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT > done > } > pass_ext_local_udp_sip > -- > > Alternatively, you could define the sip_hosts variable with a file if desired. > > Lonnie > > > > > >> On Sep 26, 2021, at 5:32 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au >> <mailto:michael.kn...@ipcsolutions.com.au>> wrote: >> >> Hi Group >> >> I'm looking to have a large number of firewall entries in Astlinux e.g. 300. >> They would be all the same e.g. I want to open port 5060 from multiple sites. >> Is there an easier/neater way to do this other than lots of firewall entries >> in the Firewall Tab? >> >> Regards >> >> Michael Knill >> Managing Director >> >> D: +61 2 6189 1360 >> P: +61 2 6140 4656 >> E: michael.kn...@ipcsolutions.com.au >> <mailto:michael.kn...@ipcsolutions.com.au> >> W: ipcsolutions.com.au >> >> <image001.png> >> Smarter Business Communications >> >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> <mailto:Astlinux-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org <mailto:pay...@krisk.org>. > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > <mailto:Astlinux-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/astlinux-users > <https://lists.sourceforge.net/lists/listinfo/astlinux-users> > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org <mailto:pay...@krisk.org>. > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > <mailto:Astlinux-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/astlinux-users > <https://lists.sourceforge.net/lists/listinfo/astlinux-users> > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org <mailto:pay...@krisk.org>. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net <mailto:Astlinux-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/astlinux-users <https://lists.sourceforge.net/lists/listinfo/astlinux-users> Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org <mailto:pay...@krisk.org>. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
