Re: [OpenSIPS-Users] pike & exec & iptables

Tue, 22 May 2018 23:35:16 -0700 

Hi Alexey,
You can extend the shell command with source IP listing/matching logic within iptables. For example: 

/usr/bin/sudo iptables -t filter -S INPUT | grep -q $si || (/usr/bin/sudo iptables -A INPUT -s 
$si -p udp -j DROP -m comment --comment 'blacklisted by OpenSIPS' && { echo 
\"/usr/bin/sudo iptables -D INPUT -s $si -p udp -j DROP -m comment --comment 'blacklisted by 
OpenSIPS'\" | at now + 5 min; })

If the shell syntax gets too complex and the OpenSIPS script cannot handle it 
anymore, you should make a wrapper .sh around all the logic, and only feed it 
parameters.

Best regards,

Liviu Chircu
OpenSIPS Developer
http://www.opensips-solutions.com

On 23.05.2018 08:55, Alexey K. via Users wrote:

Hi all.

I use module pike.so and exec.so to automatically add flooding IP addresses to 
firewall rejecting rules.
The code is as follows:

pike_check_req();
     switch($retcode) {
         case -2:    # detected once - simply drop the request
             exit;
         case -1:    # detected again - ban the IP and drop request
             exec("/usr/bin/sudo iptables -A INPUT -s $si -p udp -j DROP -m comment 
--comment 'blacklisted by OpenSIPS' && { echo \"/usr/bin/sudo iptables -D INPUT -s 
$si -p udp -
j DROP -m comment --comment 'blacklisted by OpenSIPS'\" | at now + 5 min; }");
                         exit;
     }


Everything works fine, except that sometimes there are too much iptables 
entries  are generated, which are the same:

root@deb-node-2:~# iptables -L INPUT -vn --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               
destination
1        0     0 DROP       udp  --  *      *       172.16.0.5           
0.0.0.0/0            /* blacklisted by OpenSIPS */
2        0     0 DROP       udp  --  *      *       172.16.0.5           
0.0.0.0/0            /* blacklisted by OpenSIPS */
3        0     0 DROP       udp  --  *      *       172.16.0.5           
0.0.0.0/0            /* blacklisted by OpenSIPS */
... ... ...
87       0     0 DROP       udp  --  *      *       172.16.0.5           
0.0.0.0/0            /* blacklisted by OpenSIPS */


So I'm trying to understand what is the best way to generate only one iptables 
rule.
Is it possible to do with opensips, or the only way is to run some script which 
will look if there is already an iptables denying rule,
and if it's true, not to add one more rule.

-----------------------------------------------
BR, Alexey
http://alexeyka.zantsev.com/
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users






















					Reply via email to