On 8/17/2012 8:54 AM, Tony Graziano wrote: > The question I had was is this better implemented in iptables (my > preference is there) or in the proxy? > > In the normal realm of dealing with people who desire to block most or > all countries from accessing their system to limit exposure. I > compiled a CIDR list (no space, separated by commas) of all countries > excpet USA and saw that it is around 130,000 characters in length (83k > CIDR entries). So the question begs "what would be the proxy impact of > this"? > > Since it might be easier to implement as a blacklist in the proxy I > found it impractical to use because of the 1000 character limit > imposed. So if we send this to the proxy as a blacklist, I wonder > about performance. > > I have an iptables script that can be run to block this via iptables, > but it takes at least 10 minutes to turn it on and make it add each > country zone by script.I am thinking a plugin might be more elegant > and am looking at cfengine as well. I just need to see how I can marry > the script to run via a cron job to auto update the zone files and use > the iptables argument within cfengine. > > Ideally we could extend this to sipxconfig and have it manage a script > and allow the admin the check the countries to be blocked. It really > makes it simpler to deploy in a virtual center somewhere this way, > which is where everyone is headed. > 10 mins seems long. This is what I do:
/sbin/iptables -N whitelist /sbin/iptables -I INPUT -j whitelist /sbin/iptables -A whitelist -s 192.168.0.0/16 -j ACCEPT #voipinnovations /sbin/iptables -A whitelist -s 64.136.174.30 -j ACCEPT #newyork.voip.ms /sbin/iptables -A whitelist -s 74.63.41.218 -j ACCEPT #chicago.voip.ms /sbin/iptables -A whitelist -s 64.120.22.242 -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --set /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 20 -j REJECT /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 10 -j REJECT /sbin/iptables -A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 6 -j REJECT #/sbin/iptables -A INPUT -p udp --dport 5060 -m limit --limit 5/s --limit-burst 5 -i eth0 -j REJECT #/sbin/iptables -A INPUT -p udp --dport 5080 -m limit --limit 5/s --limit-burst 5 -i eth0 -j REJECT BASE_FILE=/etc/voipabuse.txt for line in `cat $BASE_FILE`; do /sbin/iptables -A INPUT -s "$line" -j DROP done -- Regards -------------------------------------- Gerald Drouillard Technology Architect Drouillard & Associates, Inc. http://www.Drouillard.biz _______________________________________________ sipx-dev mailing list sipx-dev@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-dev/