Add support to limit SIP connections with a whitelist.

diff --git a/templates/lvs/iptables-rules.fw b/templates/lvs/iptables-rules.fw
index f4f55e1..a546117 100755 (executable)
--- a/templates/lvs/iptables-rules.fw
+++ b/templates/lvs/iptables-rules.fw
@@ -21,6 +21,9 @@ LOGDENY="YES"
 ### Block Pings? YES | NO
 BLOCKPINGS="NO"
 
+### Whitelist of IP ranges
+SIP_WHITELIST="/etc/network/sip_whitelist.fw"
+
 ############# End General Configration ############
 
 ## Setup IP Forwarding
@@ -29,12 +32,13 @@ echo "1" > /proc/sys/net/ipv4/ip_forward
 
 IPT="/sbin/iptables"
 
+
 ### set firewall mode 
 if echo "$1" | grep -q nolog || [ $LOGDENY = "NO" ]
-       then
-       FW="firewall-nolog"
-               else
-               FW="firewall"
+then
+    FW="firewall-nolog"
+else
+    FW="firewall"
 fi
 
 
@@ -62,7 +66,22 @@ $IPT -A INPUT -s "$PRIVATE_NET" -d 0/0 -j ACCEPT
 ######## Port Forwarding ##########
 
 ### Nat incoming connections for Evergreen SIP service.
-iptables -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001
+
+
+### If whitelist exists then use it from  whitelist $SIP_WHITELIST
+if [ -e "${SIP_WHITELIST}" ]
+then
+    for ADDR in $(grep -v "^#" $SIP_WHITELIST | grep -v "-") 
+    do
+        $IPT -t nat -A PREROUTING -i $EXTERNAL_IF -s $ADDR -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001
+    done
+    for ADDR in $(grep -v "^#" $SIP_WHITELIST | grep "-")
+    do
+        $IPT -t nat -A PREROUTING -i $EXTERNAL_IF -m iprange --src-range $ADDR -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001
+    done
+else ### we simply use the old way and forward any connection to the SIP servers.
+    iptables -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001
+fi
 
 
 ####### End Port Forwarding #######