Re: [Astlinux-users] Large number of Firewall entries

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Michael,

With 300 rules and the same across all your boxes, I would use /mnt/kd/arno-iptables-firewall/custom-rules to define these.

Very similar to the deny_ext_local() example I posted recently, but the reverse ... pass_ext_local() using -j ACCEPT

Without testing, something like ...
--
pass_ext_local()
{
  local proto="$1" host="$2" port="$3"

  echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, Port: $port"
  iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT
}
## uncomment to enable ##
#pass_ext_local udp 1.2.3.4 5060
#pass_ext_local tcp 1.2.3.0/24 5061
--

If you only use udp/5060, you could simplify things, maybe only one "echo" statement and a variable defining all 300 IPs.  Generic shell scripting.

Again untested ...
--
pass_ext_local_udp_sip()
{
  local host proto="udp" port="5060" IFS
  local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48"

  echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts"
  unset IFS
  for host in $sip_hosts; do
    iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT
  done
}
pass_ext_local_udp_sip
--

Alternatively, you could define the sip_hosts variable with a file if desired.

Lonnie

> On Sep 26, 2021, at 5:32 PM, Michael Knill <mic...@ip...> wrote:
> 
> Hi Group
>  
> I'm looking to have a large number of firewall entries in Astlinux e.g. 300. They would be all the same e.g. I want to open port 5060 from multiple sites.
> Is there an easier/neater way to do this other than lots of firewall entries in the Firewall Tab?
>  
> Regards
>  
> Michael Knill
> Managing Director
>  
> D: +61 2 6189 1360
> P: +61 2 6140 4656
> E: mic...@ip...
> W: ipcsolutions.com.au
>  
>  <image001.png>
> Smarter Business Communications
>  
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....