From: Andy Witter Date: Tue, 9 Apr 2019 14:46:07 +0000 (-0400) Subject: Add support to limit SIP connections with a whitelist. X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=76dc16c2f7242d3a5d32ae91e6668919669f91cf;p=contrib%2Fpines%2Fgenasys.git Add support to limit SIP connections with a whitelist. --- diff --git a/templates/lvs/iptables-rules.fw b/templates/lvs/iptables-rules.fw index f4f55e1..a546117 100755 --- a/templates/lvs/iptables-rules.fw +++ b/templates/lvs/iptables-rules.fw @@ -21,6 +21,9 @@ LOGDENY="YES" ### Block Pings? YES | NO BLOCKPINGS="NO" +### Whitelist of IP ranges +SIP_WHITELIST="/etc/network/sip_whitelist.fw" + ############# End General Configration ############ ## Setup IP Forwarding @@ -29,12 +32,13 @@ echo "1" > /proc/sys/net/ipv4/ip_forward IPT="/sbin/iptables" + ### set firewall mode if echo "$1" | grep -q nolog || [ $LOGDENY = "NO" ] - then - FW="firewall-nolog" - else - FW="firewall" +then + FW="firewall-nolog" +else + FW="firewall" fi @@ -62,7 +66,22 @@ $IPT -A INPUT -s "$PRIVATE_NET" -d 0/0 -j ACCEPT ######## Port Forwarding ########## ### Nat incoming connections for Evergreen SIP service. -iptables -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001 + + +### If whitelist exists then use it from whitelist $SIP_WHITELIST +if [ -e "${SIP_WHITELIST}" ] +then + for ADDR in $(grep -v "^#" $SIP_WHITELIST | grep -v "-") + do + $IPT -t nat -A PREROUTING -i $EXTERNAL_IF -s $ADDR -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001 + done + for ADDR in $(grep -v "^#" $SIP_WHITELIST | grep "-") + do + $IPT -t nat -A PREROUTING -i $EXTERNAL_IF -m iprange --src-range $ADDR -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001 + done +else ### we simply use the old way and forward any connection to the SIP servers. + iptables -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp --dport 6001 -j DNAT --to-destination Priv_NET.131-Priv_NET.132:6001 +fi ####### End Port Forwarding #######