Last active
February 8, 2022 16:52
-
-
Save warewolf/c9c8cd990920a09b5149 to your computer and use it in GitHub Desktop.
iptables based rate limiting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -A INPUT -i eth0 -p udp -m udp --dport 5060 -j SIP | |
| # | |
| -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j SIPINVITE | |
| -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j SIPREGISTER | |
| -A SIP -m comment --comment "Catch and accept everything else" -j ACCEPT | |
| # | |
| -A SIPINVITE -m hashlimit --hashlimit-upto 4/min --hashlimit-burst 4 --hashlimit-mode srcip,dstip,dstport --hashlimit-name anon-sip-rateinv --hashlimit-srcmask 24 -m comment --comment "Rate limit SIP invites" -j ACCEPT | |
| -A SIPINVITE -m limit --limit 10/min -j LOG --log-prefix "SIPINV DROP: " | |
| -A SIPINVITE -m comment --comment "Rate limit exceeded, reject" -j REJECT | |
| # | |
| -A SIPREGISTER -m hashlimit --hashlimit-upto 6/hour --hashlimit-burst 6 --hashlimit-mode srcip,dstip,dstport --hashlimit-name anon-sip-ratereg --hashlimit-srcmask 24 -m comment --comment "Rate limit SIP registers" -j ACCEPT | |
| -A SIPREGISTER -m limit --limit 10/min -j LOG --log-prefix "SIPREG DROP: " | |
| -A SIPREGISTER -m comment --comment "Rate limit exceeded, reject" -j REJECT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment