Hi Michael, I rolled up my sleeves, and gave this a test in my lab:
-- snip /etc/arno-iptables-firewall/custom-rules -- ipset_ext_input_allow() { local proto="$1" port="$2" set="$3" file="$4" if [ ! -f "$file" ]; then echo "[CUSTOM RULE] ipset_ext_input_allow: File not found: $file" return fi echo "[CUSTOM RULE] IPSet Pass EXT->Local for Proto: $proto, Port: $port, Set: $set, IPsetFile: $file" ipset create -exist $set hash:net ipset flush $set sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist ${set} \1/p" "$file" | ipset restore ip4tables -A EXT_INPUT_CHAIN -m set --match-set $set src -p $proto --dport $port -j ACCEPT } ipset_ext_input_allow udp 5060 udp_sip_hosts /tmp/sip-whitelist.netset -- -- /tmp/sip-whitelist.netset -- ## 1.2.3.4 #test #10.10.50.1 10.10.50.55 #10.10.0.0/16 -- It worked as expected. Restarting the firewall "arno-iptables-firewall restart" applies the current IPv4 .netset file. > If I then remove the address and restart the firewall, the address is removed > from the list (ipset list confirms this) but the address is still open in the > firewall. I cannot remove it unless I reboot the system. What you are seeing is the iptables conntrack state table, eventually the UDP state will expire after 120 seconds (unless traffic resets the state) Source Port (#'s) Destination Port Protocol Packets Bytes TTL 10.10.50.1 5060 10.10.50.64 5060 UDP 24 13856 1:29 After the TTL counts down to 0 then the conntrack state disappears. The iptables conntrack state table makes the firewall much more efficient. This behavior has always existed. So in your testing, if you wait 2 minutes after you remove an IP and apply the change, the IP will be blocked for UDP 5060 traffic. If you are getting a constant stream of UDP 5060 traffic from that IP then you would need to take additional measures to block further traffic. For example, if you allowed a remote SIP endpoint to register more often than 120 seconds, removing the IP from the "allowed" ipset would not "block" it until the conntrack state disappears. Make sense? Lonnie > On Jan 2, 2023, at 2:26 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> > wrote: > > Hi Lonnie > > Thanks for this. Unfortunately I still need to reboot the system for it to > reread the netset rules if I remove an ipset entry. > Here is my custom-rules.conf: > -------- > ipset create -exist udp_sip_hosts hash:net > ipset flush udp_sip_hosts > ipset add -exist udp_sip_hosts <my ip address added here> > iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp > --dport 5060 -j ACCEPT > -------- > > If I add another IP Address to the list as below and restart the firewall it > works fine and I see it when I do an ipset list: > ipset add -exist udp_sip_hosts <1st ip address> > ipset add -exist udp_sip_hosts <2nd ip address> > > If I then remove the address and restart the firewall, the address is removed > from the list (ipset list confirms this) but the address is still open in the > firewall. I cannot remove it unless I reboot the system. > Obviously not workable I'm afraid. > > Regards > Michael Knill > > > > On 3/1/2023, 3:22 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com > <mailto:li...@lonnie.abelbeck.com>> wrote: > > > Hi Michael, > > > Referring to the "apply_ipset_netset()" function (here [1]) > > > Add "-exist" to the "create" and "add" (man-page [2]) commands. > > > Note that you can create the ipset from a text file within the > /etc/arno-iptables-firewall/custom-rules script. Edit your text file and > reload the firewall. > > > Using "ipset create -exist ..." will not fail if the ipset already exists. > "ipset flush ..." will clear any pre-existing ipset. > > > Tip -> I would probably use "hash:net" instead of "hash:ip" so you could use > CIDRs if you wanted. > > > custom-rules script snippet > -- > ipset create -exist udp_sip_hosts hash:net > ipset flush udp_sip_hosts > > > ## either a one-liner from a text file "sip-whitelist.netset" > sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist udp_sip_hosts > \1/p" sip-whitelist.netset | ipset restore > > > ## Or, loop getting IPv4s from a text file "sip-whitelist.netset" > ipset add -exist udp_sip_hosts <IP Address> > ## done-loop > > > iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp > --dport 5060 -j ACCEPT > -- > > > Lonnie > > > [1] > https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 > > <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> > > > [2] https://ipset.netfilter.org/ipset.man.html > <https://ipset.netfilter.org/ipset.man.html> > > > > >> On Jan 1, 2023, at 11:44 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au >> <mailto:michael.kn...@ipcsolutions.com.au>> wrote: >> >> Hi All >> Merry Christmas and Happy New Year. >> >> Just rejuvenating this thread as I am building our new softswitch and >> playing with ipset as you offered below. >> We have done the following: >> >> Using CLI: >> ipset create udp_sip_hosts hash:ip >> ipset add udp_sip_hosts <IP Address> >> >> In custom-rules.conf >> iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp >> --dport 5060 -j ACCEPT >> >> It all seems to work fine but I obviously am an iptables noob as I have no >> idea what to do when I make changes to the ipset as it does not change even >> after a firewall restart. >> I'm sure there is something I need to do which will get iptables to reread >> the ipset? >> >> Thanks guys. >> >> Regards >> Michael Knill >> >> >> >> On 27/9/2021, 10:54 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com >> <mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com >> <mailto:li...@lonnie.abelbeck.com>>> wrote: >> >> >> Michael, >> >> >> The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so >> parsing sip.conf using 'sed' or such should be reasonably straightforward. >> >> >> BTW, for extra credit, if you combined all the allowed SIP IPs into an ipset >> (ex. udp_sip_hosts), you can very efficiently match all of them with only >> one rule: >> -- >> iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp >> --dport 5060 -j ACCEPT >> -- >> That would allow you to rebuild only the "udp_sip_hosts" ipset when the >> sip.conf got changed, without rebuilding the firewall. Though requires some >> 'ipset' command knowledge, though not complex at all. >> >> >> Example 'ipset' usage in AstLinux: >> https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 >> >> <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> >> >> <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> >> >> <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275>> >> >> >> If you only use IPv4 a lot of the example can be simplified. >> >> >> Lonnie >> >> >> >> >> >> >>> On Sep 26, 2021, at 7:17 PM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au >>> <mailto:michael.kn...@ipcsolutions.com.au> >>> <mailto:michael.kn...@ipcsolutions.com.au >>> <mailto:michael.kn...@ipcsolutions.com.au>>> wrote: >>> >>> Thanks Lonnie. >>> >>> Actually now that I think about it, is there any reason why the custom rule >>> could not parse sip.conf for host=<IP Address> and open up all Public IP's? >>> It would mean that you would need to restart the firewall every time you >>> modified sip.conf but I'm sure we could build this into our portal very >>> simply. >>> >>> Regards >>> Michael Knill >>> >>> On 27/9/21, 9:47 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com >>> <mailto:li...@lonnie.abelbeck.com> <mailto:li...@lonnie.abelbeck.com >>> <mailto:li...@lonnie.abelbeck.com>>> wrote: >>> >>> Hi Michael, >>> >>> With 300 rules and the same across all your boxes, I would use >>> /mnt/kd/arno-iptables-firewall/custom-rules to define these. >>> >>> Very similar to the deny_ext_local() example I posted recently, but the >>> reverse ... pass_ext_local() using -j ACCEPT >>> >>> Without testing, something like ... >>> -- >>> pass_ext_local() >>> { >>> local proto="$1" host="$2" port="$3" >>> >>> echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, Port: >>> $port" >>> iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT >>> } >>> ## uncomment to enable ## >>> #pass_ext_local udp 1.2.3.4 5060 >>> #pass_ext_local tcp 1.2.3.0/24 5061 >>> -- >>> >>> If you only use udp/5060, you could simplify things, maybe only one "echo" >>> statement and a variable defining all 300 IPs. Generic shell scripting. >>> >>> Again untested ... >>> -- >>> pass_ext_local_udp_sip() >>> { >>> local host proto="udp" port="5060" IFS >>> local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 >>> 1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48" >>> >>> echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts" >>> unset IFS >>> for host in $sip_hosts; do >>> iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT >>> done >>> } >>> pass_ext_local_udp_sip >>> -- >>> >>> Alternatively, you could define the sip_hosts variable with a file if >>> desired. >>> >>> Lonnie >>> >>> >>> >>> >>> >>>> On Sep 26, 2021, at 5:32 PM, Michael Knill >>>> <michael.kn...@ipcsolutions.com.au >>>> <mailto:michael.kn...@ipcsolutions.com.au> >>>> <mailto:michael.kn...@ipcsolutions.com.au >>>> <mailto:michael.kn...@ipcsolutions.com.au>>> wrote: >>>> >>>> Hi Group >>>> >>>> I'm looking to have a large number of firewall entries in Astlinux e.g. >>>> 300. They would be all the same e.g. I want to open port 5060 from >>>> multiple sites. >>>> Is there an easier/neater way to do this other than lots of firewall >>>> entries in the Firewall Tab? >>>> >>>> Regards >>>> >>>> Michael Knill >>>> Managing Director >>>> >>>> D: +61 2 6189 1360 >>>> P: +61 2 6140 4656 >>>> E: michael.kn...@ipcsolutions.com.au >>>> <mailto:michael.kn...@ipcsolutions.com.au> >>>> <mailto:michael.kn...@ipcsolutions.com.au >>>> <mailto:michael.kn...@ipcsolutions.com.au>> >>>> W: ipcsolutions.com.au >>>> >>>> <image001.png> >>>> Smarter Business Communications >>>> >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Astlinux-users@lists.sourceforge.net >>>> <mailto:Astlinux-users@lists.sourceforge.net> >>>> <mailto:Astlinux-users@lists.sourceforge.net >>>> <mailto:Astlinux-users@lists.sourceforge.net>> >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >>>> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >>>> <https://lists.sourceforge.net/lists/listinfo/astlinux-users>> >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> pay...@krisk.org <mailto:pay...@krisk.org> <mailto:pay...@krisk.org >>>> <mailto:pay...@krisk.org>>. >>> >>> >>> >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> <mailto:Astlinux-users@lists.sourceforge.net> >>> <mailto:Astlinux-users@lists.sourceforge.net >>> <mailto:Astlinux-users@lists.sourceforge.net>> >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >>> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >>> <https://lists.sourceforge.net/lists/listinfo/astlinux-users>> >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org <mailto:pay...@krisk.org> <mailto:pay...@krisk.org >>> <mailto:pay...@krisk.org>>. >>> >>> >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> <mailto:Astlinux-users@lists.sourceforge.net> >>> <mailto:Astlinux-users@lists.sourceforge.net >>> <mailto:Astlinux-users@lists.sourceforge.net>> >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >>> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >>> <https://lists.sourceforge.net/lists/listinfo/astlinux-users>> >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org <mailto:pay...@krisk.org> <mailto:pay...@krisk.org >>> <mailto:pay...@krisk.org>>. >> >> >> >> >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> <mailto:Astlinux-users@lists.sourceforge.net> >> <mailto:Astlinux-users@lists.sourceforge.net >> <mailto:Astlinux-users@lists.sourceforge.net>> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >> <https://lists.sourceforge.net/lists/listinfo/astlinux-users>> >> >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org <mailto:pay...@krisk.org> <mailto:pay...@krisk.org >> <mailto:pay...@krisk.org>>. >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> <mailto:Astlinux-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org <mailto:pay...@krisk.org>. > > > > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > <mailto:Astlinux-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/astlinux-users > <https://lists.sourceforge.net/lists/listinfo/astlinux-users> > > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org <mailto:pay...@krisk.org>. > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.