Hi all.
I use module pike.so and exec.so to automatically add flooding IP addresses to
firewall rejecting rules.
The code is as follows:
pike_check_req();
switch($retcode) {
case -2: # detected once - simply drop the request
exit;
case -1: # detected again - ban the IP and drop request
exec("/usr/bin/sudo iptables -A INPUT -s $si -p udp -j DROP -m
comment --comment 'blacklisted by OpenSIPS' && { echo \"/usr/bin/sudo iptables
-D INPUT -s $si -p udp -
j DROP -m comment --comment 'blacklisted by OpenSIPS'\" | at now + 5 min; }");
exit;
}
Everything works fine, except that sometimes there are too much iptables
entries are generated, which are the same:
root@deb-node-2:~# iptables -L INPUT -vn --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source
destination
1 0 0 DROP udp -- * * 172.16.0.5
0.0.0.0/0 /* blacklisted by OpenSIPS */
2 0 0 DROP udp -- * * 172.16.0.5
0.0.0.0/0 /* blacklisted by OpenSIPS */
3 0 0 DROP udp -- * * 172.16.0.5
0.0.0.0/0 /* blacklisted by OpenSIPS */
... ... ...
87 0 0 DROP udp -- * * 172.16.0.5
0.0.0.0/0 /* blacklisted by OpenSIPS */
So I'm trying to understand what is the best way to generate only one iptables
rule.
Is it possible to do with opensips, or the only way is to run some script which
will look if there is already an iptables denying rule,
and if it's true, not to add one more rule.
-----------------------------------------------
BR, Alexey
http://alexeyka.zantsev.com/
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
