Menu
▾
▴
Re: [Astlinux-users] Large number of Firewall entries
|
From: Michael K. <mic...@ip...> - 2023-01-02 20:26:47
|
Hi Lonnie Thanks for this. Unfortunately I still need to reboot the system for it to reread the netset rules if I remove an ipset entry. Here is my custom-rules.conf: -------- ipset create -exist udp_sip_hosts hash:net ipset flush udp_sip_hosts ipset add -exist udp_sip_hosts <my ip address added here> iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT -------- If I add another IP Address to the list as below and restart the firewall it works fine and I see it when I do an ipset list: ipset add -exist udp_sip_hosts <1st ip address> ipset add -exist udp_sip_hosts <2nd ip address> If I then remove the address and restart the firewall, the address is removed from the list (ipset list confirms this) but the address is still open in the firewall. I cannot remove it unless I reboot the system. Obviously not workable I'm afraid. Regards Michael Knill On 3/1/2023, 3:22 am, "Lonnie Abelbeck" <li...@lo... <mailto:li...@lo...>> wrote: Hi Michael, Referring to the "apply_ipset_netset()" function (here [1]) Add "-exist" to the "create" and "add" (man-page [2]) commands. Note that you can create the ipset from a text file within the /etc/arno-iptables-firewall/custom-rules script. Edit your text file and reload the firewall. Using "ipset create -exist ..." will not fail if the ipset already exists. "ipset flush ..." will clear any pre-existing ipset. Tip -> I would probably use "hash:net" instead of "hash:ip" so you could use CIDRs if you wanted. custom-rules script snippet -- ipset create -exist udp_sip_hosts hash:net ipset flush udp_sip_hosts ## either a one-liner from a text file "sip-whitelist.netset" sed -n -r -e "s/^([0-9][0-9./]+)([[:space:]].*|)$/add -exist udp_sip_hosts \1/p" sip-whitelist.netset | ipset restore ## Or, loop getting IPv4s from a text file "sip-whitelist.netset" ipset add -exist udp_sip_hosts <IP Address> ## done-loop iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT -- Lonnie [1] https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> [2] https://ipset.netfilter.org/ipset.man.html <https://ipset.netfilter.org/ipset.man.html> > On Jan 1, 2023, at 11:44 PM, Michael Knill <mic...@ip... <mailto:mic...@ip...>> wrote: > > Hi All > Merry Christmas and Happy New Year. > > Just rejuvenating this thread as I am building our new softswitch and playing with ipset as you offered below. > We have done the following: > > Using CLI: > ipset create udp_sip_hosts hash:ip > ipset add udp_sip_hosts <IP Address> > > In custom-rules.conf > iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT > > It all seems to work fine but I obviously am an iptables noob as I have no idea what to do when I make changes to the ipset as it does not change even after a firewall restart. > I'm sure there is something I need to do which will get iptables to reread the ipset? > > Thanks guys. > > Regards > Michael Knill > > > > On 27/9/2021, 10:54 am, "Lonnie Abelbeck" <li...@lo... <mailto:li...@lo...> <mailto:li...@lo... <mailto:li...@lo...>>> wrote: > > > Michael, > > > The /mnt/kd/arno-iptables-firewall/custom-rules is a basic shell script, so parsing sip.conf using 'sed' or such should be reasonably straightforward. > > > BTW, for extra credit, if you combined all the allowed SIP IPs into an ipset (ex. udp_sip_hosts), you can very efficiently match all of them with only one rule: > -- > iptables -A EXT_INPUT_CHAIN -m set --match-set udp_sip_hosts src -p udp --dport 5060 -j ACCEPT > -- > That would allow you to rebuild only the "udp_sip_hosts" ipset when the sip.conf got changed, without rebuilding the firewall. Though requires some 'ipset' command knowledge, though not complex at all. > > > Example 'ipset' usage in AstLinux: > https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275 <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275> <https://github.com/astlinux-project/astlinux/blob/d95ba9c3914b135da4440cb95f32af61a41d4650/package/arnofw/aif/bin/arno-iptables-firewall#L4275>> > > > If you only use IPv4 a lot of the example can be simplified. > > > Lonnie > > > > > > >> On Sep 26, 2021, at 7:17 PM, Michael Knill <mic...@ip... <mailto:mic...@ip...> <mailto:mic...@ip... <mailto:mic...@ip...>>> wrote: >> >> Thanks Lonnie. >> >> Actually now that I think about it, is there any reason why the custom rule could not parse sip.conf for host=<IP Address> and open up all Public IP's? >> It would mean that you would need to restart the firewall every time you modified sip.conf but I'm sure we could build this into our portal very simply. >> >> Regards >> Michael Knill >> >> On 27/9/21, 9:47 am, "Lonnie Abelbeck" <li...@lo... <mailto:li...@lo...> <mailto:li...@lo... <mailto:li...@lo...>>> wrote: >> >> Hi Michael, >> >> With 300 rules and the same across all your boxes, I would use /mnt/kd/arno-iptables-firewall/custom-rules to define these. >> >> Very similar to the deny_ext_local() example I posted recently, but the reverse ... pass_ext_local() using -j ACCEPT >> >> Without testing, something like ... >> -- >> pass_ext_local() >> { >> local proto="$1" host="$2" port="$3" >> >> echo "[CUSTOM RULE] Pass EXT->Local for Proto: $proto, Host: $host, Port: $port" >> iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT >> } >> ## uncomment to enable ## >> #pass_ext_local udp 1.2.3.4 5060 >> #pass_ext_local tcp 1.2.3.0/24 5061 >> -- >> >> If you only use udp/5060, you could simplify things, maybe only one "echo" statement and a variable defining all 300 IPs. Generic shell scripting. >> >> Again untested ... >> -- >> pass_ext_local_udp_sip() >> { >> local host proto="udp" port="5060" IFS >> local sip_hosts="1.2.3.4 1.22.33.40 1.22.33.41 1.22.33.42 1.22.33.43 1.22.33.44 1.22.33.45 1.22.33.46 1.22.33.47 1.22.33.48" >> >> echo "[CUSTOM RULE] Pass EXT->Local for UDP/5060 SIP Hosts" >> unset IFS >> for host in $sip_hosts; do >> iptables -A EXT_INPUT_CHAIN -s $host -p $proto --dport $port -j ACCEPT >> done >> } >> pass_ext_local_udp_sip >> -- >> >> Alternatively, you could define the sip_hosts variable with a file if desired. >> >> Lonnie >> >> >> >> >> >>> On Sep 26, 2021, at 5:32 PM, Michael Knill <mic...@ip... <mailto:mic...@ip...> <mailto:mic...@ip... <mailto:mic...@ip...>>> wrote: >>> >>> Hi Group >>> >>> I'm looking to have a large number of firewall entries in Astlinux e.g. 300. They would be all the same e.g. I want to open port 5060 from multiple sites. >>> Is there an easier/neater way to do this other than lots of firewall entries in the Firewall Tab? >>> >>> Regards >>> >>> Michael Knill >>> Managing Director >>> >>> D: +61 2 6189 1360 >>> P: +61 2 6140 4656 >>> E: mic...@ip... <mailto:mic...@ip...> <mailto:mic...@ip... <mailto:mic...@ip...>> >>> W: ipcsolutions.com.au >>> >>> <image001.png> >>> Smarter Business Communications >>> >>> _______________________________________________ >>> Astlinux-users mailing list >>> Ast...@li... <mailto:Ast...@li...> <mailto:Ast...@li... <mailto:Ast...@li...>> >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users <https://lists.sourceforge.net/lists/listinfo/astlinux-users> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> <https://lists.sourceforge.net/lists/listinfo/astlinux-users>> >>> >>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr... <mailto:pa...@kr...> <mailto:pa...@kr... <mailto:pa...@kr...>>. >> >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... <mailto:Ast...@li...> <mailto:Ast...@li... <mailto:Ast...@li...>> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users <https://lists.sourceforge.net/lists/listinfo/astlinux-users> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> <https://lists.sourceforge.net/lists/listinfo/astlinux-users>> >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr... <mailto:pa...@kr...> <mailto:pa...@kr... <mailto:pa...@kr...>>. >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... <mailto:Ast...@li...> <mailto:Ast...@li... <mailto:Ast...@li...>> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users <https://lists.sourceforge.net/lists/listinfo/astlinux-users> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> <https://lists.sourceforge.net/lists/listinfo/astlinux-users>> >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr... <mailto:pa...@kr...> <mailto:pa...@kr... <mailto:pa...@kr...>>. > > > > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... <mailto:Ast...@li...> <mailto:Ast...@li... <mailto:Ast...@li...>> > https://lists.sourceforge.net/lists/listinfo/astlinux-users <https://lists.sourceforge.net/lists/listinfo/astlinux-users> <https://lists.sourceforge.net/lists/listinfo/astlinux-users> <https://lists.sourceforge.net/lists/listinfo/astlinux-users>> > > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr... <mailto:pa...@kr...> <mailto:pa...@kr... <mailto:pa...@kr...>>. > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... <mailto:Ast...@li...> > https://lists.sourceforge.net/lists/listinfo/astlinux-users <https://lists.sourceforge.net/lists/listinfo/astlinux-users> > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr... <mailto:pa...@kr...>. _______________________________________________ Astlinux-users mailing list Ast...@li... <mailto:Ast...@li...> https://lists.sourceforge.net/lists/listinfo/astlinux-users <https://lists.sourceforge.net/lists/listinfo/astlinux-users> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr... <mailto:pa...@kr...>. |
