iptables prerouting rules

VitalPBX Community Support General Discussion iptables prerouting rules

Up
0
Down
  • Post
    • November 11, 2019 at 11:49 pm
    Up
    0
    Down
    samiam123
    Participant

    Why are the following rules in raw prerouting iptables?
    Unless I am mistaken, this would cause every packet to have to go through these CPU heavy rules.  Shouldn’t these rules go into filter chain after conntrack, so that only new connections are checked?  Not all packets for new and established connections like they would be in raw prerouting.

    <rule priority="0" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string friendly-scanner -j sip_ddos</rule>

      <rule priority="1" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string sundayddr -j sip_ddos</rule>

      <rule priority="2" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string sipsak -j sip_ddos</rule>

      <rule priority="3" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string iWar -j sip_ddos</rule>

      <rule priority="4" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string sip-scan -j sip_ddos</rule>

      <rule priority="5" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo kmp --string hinet.net -j sip_ddos</rule>

      <rule priority="6" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo kmp --string sipcli -j sip_ddos</rule>

      <rule priority="7" table="raw" ipv="ipv4" chain="PREROUTING">-p all -m string --algo bm --string sipvicious -j sip_ddos</rule>



    0
Viewing 3 replies - 1 through 3 (of 3 total)
  • Replies
    • November 11, 2019 at 11:54 pm
    Up
    0
    Down
    Jose Miguel Rivera
    Keymaster
    NI

    You may post your suggestion about how these rules must be defined.

    0
    • November 12, 2019 at 6:56 pm
    Up
    0
    Down
    samiam123
    Participant

    Hello, this modified /etc/firewalld/direct.xml file seems to work but could probably be improved further.  This still does not isolate SIP ports but still a big improvement imo.  Should reduce load and improve latency for everyone.  Should reduce load and improve throughput considerably on really busy servers.

     

     
    0
    • November 12, 2019 at 8:57 pm
    Up
    0
    Down
    Jose Miguel Rivera
    Keymaster
    NI

    Thanks,

    We’ll have it in mind.

    0
Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.