[OpenSIPS-Users] pike & exec & iptables
Alexey K.
kurgan-rus at inbox.ru
Wed May 23 01:55:11 EDT 2018
Hi all.
I use module pike.so and exec.so to automatically add flooding IP addresses to firewall rejecting rules.
The code is as follows:
pike_check_req();
switch($retcode) {
case -2: # detected once - simply drop the request
exit;
case -1: # detected again - ban the IP and drop request
exec("/usr/bin/sudo iptables -A INPUT -s $si -p udp -j DROP -m comment --comment 'blacklisted by OpenSIPS' && { echo \"/usr/bin/sudo iptables -D INPUT -s $si -p udp -
j DROP -m comment --comment 'blacklisted by OpenSIPS'\" | at now + 5 min; }");
exit;
}
Everything works fine, except that sometimes there are too much iptables entries are generated, which are the same:
root at deb-node-2:~# iptables -L INPUT -vn --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DROP udp -- * * 172.16.0.5 0.0.0.0/0 /* blacklisted by OpenSIPS */
2 0 0 DROP udp -- * * 172.16.0.5 0.0.0.0/0 /* blacklisted by OpenSIPS */
3 0 0 DROP udp -- * * 172.16.0.5 0.0.0.0/0 /* blacklisted by OpenSIPS */
... ... ...
87 0 0 DROP udp -- * * 172.16.0.5 0.0.0.0/0 /* blacklisted by OpenSIPS */
So I'm trying to understand what is the best way to generate only one iptables rule.
Is it possible to do with opensips, or the only way is to run some script which will look if there is already an iptables denying rule,
and if it's true, not to add one more rule.
-----------------------------------------------
BR, Alexey
http://alexeyka.zantsev.com/
More information about the Users
mailing list