On 10/28/2010 3:41 AM, Per Jessen wrote: > 2) if you've got some iptables rules for limiting inbound SIP by rate?
exactly what i was going through; here's how i reacted (throttles both SSH and SIP Register: First, I completely blocked all non-North American & Amazon EC2 networks - I won't be registering my sip phone in Nigeria nor from within EC2* any time soon. Then in my iptables startup script: iptables -N THROTTLE iptables -A INPUT -i eth0 -p udp --dport 5060 \ -m string --string "REGISTER sip:" --algo bm --to 65 -j THROTTLE iptables -A INPUT -i eth0 -p tcp --dport 22 \ -m state --state NEW -j THROTTLE iptables -A THROTTLE -m recent --set --name ABUSE iptables -A THROTTLE -m recent --update --seconds 86400 \ --hitcount 15 --name ABUSE -j LOG $LOGOPTS "$PRE"h15_ iptables -A THROTTLE -m recent --rcheck --seconds 86400 \ --hitcount 15 --name ABUSE -j DROP iptables -A THROTTLE -m recent --update --seconds 3600 \ --hitcount 12 --name ABUSE -j LOG $LOGOPTS "$PRE"h12_ iptables -A THROTTLE -m recent --rcheck --seconds 3600 \ --hitcount 12 --name ABUSE -j DROP iptables -A THROTTLE -m recent --update --seconds 60 \ --hitcount 6 --name ABUSE -j LOG $LOGOPTS "$PRE"h6_ iptables -A THROTTLE -m recent --rcheck --seconds 60 \ --hitcount 6 --name ABUSE -j DROP iptables -A INPUT -i eth0 -p udp --dport 5060 \ --sport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 22 \ --sport 1024:65535 -j ACCEPT Note that some SIP clients send more than one register per startup -- e.g.: Siphon on the iPhone registers without credentials first, asterisk sends back "unauthorized", then Siphone tries again with the configured username and password. For exactly how i'm using it: mkdir /usr/local/script cd /usr/local/script wget http://jeremy.kister.net/code/iptables/make-non-na.pl wget http://jeremy.kister.net/code/iptables/iptables.init mv iptables.init /etc/init.d/iptables # vi iptables # change the MYLAN to your lan network # change the RDPRANGE to the range defined in /etc/asterisk/rdp.conf ln -s /etc/init.d/iptables /etc/rc2.d/iptables ln -s /etc/init.d/iptables /etc/rc3.d/iptables crontab -e # put in something to run the make-non-na.pl run once per week /usr/local/script/make-non-na.pl /etc/init.d/iptables start * = if you use the Acrobits softphone, you'll need to let EC2 through for push notifications. Currently, I just put 184.72.221.84 in the siprtp section of the iptables script. -- Jeremy Kister http://jeremy.kister.net./ -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
