On 8/17/2012 8:54 AM, Tony Graziano wrote:
> The question I had was is this better implemented in iptables (my
> preference is there) or in the proxy?
>
> In the normal realm of dealing with people who desire to block most or
> all countries from accessing their system to limit exposure. I
> compiled a CIDR list (no space, separated by commas) of all countries
> excpet USA and saw that it is around 130,000 characters in length (83k
> CIDR entries). So the question begs "what would be the proxy impact of
> this"?
>
> Since it might be easier to implement as a blacklist in the proxy I
> found it impractical to use because of the 1000 character limit
> imposed. So if we send this to the proxy as a blacklist, I wonder
> about performance.
>
> I have an iptables script that can be run to block this via iptables,
> but it takes at least 10 minutes to turn it on and make it add each
> country zone by script.I am thinking a plugin might be more elegant
> and am looking at cfengine as well. I just need to see how I can marry
> the script to run via a cron job to auto update the zone files and use
> the iptables argument within cfengine.
>
> Ideally we could extend this to sipxconfig and have it manage a script
> and allow the admin the check the countries to be blocked. It really
> makes it simpler to deploy in a virtual center somewhere this way,
> which is where everyone is headed.
>
10 mins seems long. This is what I do:
/sbin/iptables -N whitelist
/sbin/iptables -I INPUT -j whitelist
/sbin/iptables -A whitelist -s 192.168.0.0/16 -j ACCEPT
#voipinnovations
/sbin/iptables -A whitelist -s 64.136.174.30 -j ACCEPT
#newyork.voip.ms
/sbin/iptables -A whitelist -s 74.63.41.218 -j ACCEPT
#chicago.voip.ms
/sbin/iptables -A whitelist -s 64.120.22.242 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW
-m recent --set
/sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW
-m recent --rcheck --seconds 300 --hitcount 20 -j REJECT
/sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW
-m recent --rcheck --seconds 180 --hitcount 10 -j REJECT
/sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW
-m recent --rcheck --seconds 60 --hitcount 6 -j REJECT
#/sbin/iptables -A INPUT -p udp --dport 5060 -m limit --limit 5/s
--limit-burst 5 -i eth0 -j REJECT
#/sbin/iptables -A INPUT -p udp --dport 5080 -m limit --limit 5/s
--limit-burst 5 -i eth0 -j REJECT
BASE_FILE=/etc/voipabuse.txt
for line in `cat $BASE_FILE`; do
/sbin/iptables -A INPUT -s "$line" -j DROP
done
--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz
_______________________________________________
sipx-dev mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev/
