On 6/30/08, David Backeberg <[EMAIL PROTECTED]> wrote: > The thing I was mentioning about hashing addresses is already in the > kernel, check out: > hashlimit on google, > or net/netfilter/xt_hashlimit.c in your favorite 2.6 kernel source > > The other cases you mention could be done with multiple rules, > especially if you know good subnets / netmasks. >
Exactly. I was thinking something like this (totally untested and raw): # Send the right traffic through our chain $IPTABLES -A INPUT -i $IFACE -m udp -p udp --dport 5060 -j sipdos # INVITE limit $IPTABLES -A sipdos -m string --string INVITE --algo bm \ -m hashlimit --hashlimit $IRATE/minute --hashlimit-mode srcip,dstport --hashlimit-name sip_i_limit -j ACCEPT # REGISTER limit $IPTABLES -A sipdos -m string --string REGISTER --algo bm \ -m hashlimit --hashlimit $RRATE/minute --hashlimit-mode srcip,dstport --hashlimit-name sip_r_limit -j ACCEPT # All other SIP methods... $IPTABLES -A sipdos -m hashlimit --hashlimit $ORATE/minute --hashlimit-mode srcip,dstport --hashlimit-name sip_o_limit -j ACCEPT # DROP everything else $IPTABLES -A sipdos -j DROP It would still be nice to have something a bit smarter (keep track of INVITEs and 407s, for instance) and I don't like using the string match. The all other SIP methods rule is dicey too because of things like OPTIONS, SUBSCRIBE, etc. -- Kristian Kielhofner NOT sent from my iPhone or Blackberry _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
