Hi All
Added this script in custom-rules.conf and it seems to work well:
-
ipset create -exist udp_sip_hosts hash:net
ipset flush udp_sip_hosts
ip_addresses=$(grep "host" /mnt/kd/asterisk/sip_peers.conf | sed "s/host=//")
echo "$ip_addresses" | sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$
I decided that I will just write them all in to be on the safe side. It should
still work if they are not there but should be more reliable if they are.
Regards
Michael Knill
On 3/1/2023, 2:23 pm, "Michael Knill" mailto:michael.kn...@ipcsolutions.com.au>> wrote:
Thanks Lonnie
Although t
Thanks Lonnie
Although this is handy, I'm not really worried about addresses that wont time
out until the peer is stopped at the other end.
The main reason for my questions below is whether I even bother about creating
the ipset and firewall rule at all and what scenarios in which it could be
p
Michael,
Controlling the client is not ideal.
Not sure if it is worth the trouble, but rather than removing the IP address,
you could mark it with a unique prefix, like:
#block#1.2.3.4
Then add another sed one-liner for a different set-name that gets added in a
new unique chain which gets add
Thanks Lonnie. Sorry you had to roll your sleeves up.
Yes that makes perfect sense and it did what you said when tested. I really
should have known this but it caught me out. I did stop SIP traffic going out
but it was the remote peer's OPTIONS pings that was holding it up.
We will test parsing
Hi Michael,
I rolled up my sleeves, and gave this a test in my lab:
-- snip /etc/arno-iptables-firewall/custom-rules --
ipset_ext_input_allow()
{
local proto="$1" port="$2" set="$3" file="$4"
if [ ! -f "$file" ]; then
echo "[CUSTOM RULE] ipset_ext_input_allow: File not found: $file"
Hi Lonnie
Thanks for this. Unfortunately I still need to reboot the system for it to
reread the netset rules if I remove an ipset entry.
Here is my custom-rules.conf:
ipset create -exist udp_sip_hosts hash:net
ipset flush udp_sip_hosts
ipset add -exist udp_sip_hosts
iptables -A EXT_INPU
> On Jan 2, 2023, at 10:35 AM, Michael Keuter wrote:
>
>
>
>> Am 02.01.2023 um 17:21 schrieb Lonnie Abelbeck :
>>
>> Hi Michael,
>>
>> Referring to the "apply_ipset_netset()" function (here [1])
>>
>> Add "-exist" to the "create" and "add" (man-page [2]) commands.
>>
>> Note that you can
> Am 02.01.2023 um 17:21 schrieb Lonnie Abelbeck :
>
> Hi Michael,
>
> Referring to the "apply_ipset_netset()" function (here [1])
>
> Add "-exist" to the "create" and "add" (man-page [2]) commands.
>
> Note that you can create the ipset from a text file within the
> /etc/arno-iptables-firew
Hi Michael,
Referring to the "apply_ipset_netset()" function (here [1])
Add "-exist" to the "create" and "add" (man-page [2]) commands.
Note that you can create the ipset from a text file within the
/etc/arno-iptables-firewall/custom-rules script. Edit your text file and
reload the firewall.
Hi All
Merry Christmas and Happy New Year.
Just rejuvenating this thread as I am building our new softswitch and playing
with ipset as you offered below.
We have done the following:
Using CLI:
ipset create udp_sip_hosts hash:ip
ipset add udp_sip_hosts
In custom-rules.conf
iptables -A EXT_INPUT
This may be a little off topic, but a while ago I decided to lock down port
5061 and only let in known IP addresses... which might change, so I needed
to open based on DNS lookup. Be aware that DNS service may not be up yet
when the firewall custom rules are executed, especially on system boot.
M
That sounds very interesting. I have a customer using AstLinux as Proxy as well.
Maybe we could document this in the Wiki?
> Am 27.09.2021 um 02:54 schrieb Lonnie Abelbeck :
>
> Michael,
>
> The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so
> parsing sip.conf using 's
Thanks Lonnie
May even add this to my standard build.
Regards
Michael Knill
On 27/9/21, 10:54 am, "Lonnie Abelbeck" wrote:
Michael,
The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so
parsing sip.conf using 'sed' or such should be reasonably straightforward.
Michael,
The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so
parsing sip.conf using 'sed' or such should be reasonably straightforward.
BTW, for extra credit, if you combined all the allowed SIP IPs into an ipset
(ex. udp_sip_hosts), you can very efficiently match all of
Thanks Lonnie.
Actually now that I think about it, is there any reason why the custom rule
could not parse sip.conf for host= and open up all Public IP's?
It would mean that you would need to restart the firewall every time you
modified sip.conf but I'm sure we could build this into our portal v
Hi Michael,
With 300 rules and the same across all your boxes, I would use
/mnt/kd/arno-iptables-firewall/custom-rules to define these.
Very similar to the deny_ext_local() example I posted recently, but the reverse
... pass_ext_local() using -j ACCEPT
Without testing, something like ...
--
pa
Hi Group
I'm looking to have a large number of firewall entries in Astlinux e.g. 300.
They would be all the same e.g. I want to open port 5060 from multiple sites.
Is there an easier/neater way to do this other than lots of firewall entries in
the Firewall Tab?
Regards
Michael Knill
Managing D
18 matches
Mail list logo
