-
-
Save crawc/ab5219fa138fddd1fb4101f8d288238b to your computer and use it in GitHub Desktop.
iptables based rate limiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -A INPUT -i eth0 -p udp -m udp --dport 5060 -j SIP | |
| # | |
| -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "INVITE" --algo bm --from 23 --to 28 -m comment --comment "Catch SIP INVITEs" -j SIPINVITE | |
| -A SIP -i eth0 -p udp -m udp --dport 5060 -m string --string "REGISTER" --algo bm --from 23 --to 30 -m comment --comment "Catch SIP REGISTERs" -j SIPREGISTER | |
| -A SIP -m comment --comment "Catch and accept everything else" -j ACCEPT | |
| # | |
| -A SIPINVITE -m hashlimit --hashlimit-upto 4/min --hashlimit-burst 4 --hashlimit-mode srcip,dstip,dstport --hashlimit-name anon-sip-rateinv --hashlimit-srcmask 24 -m comment --comment "Rate limit SIP invites" -j ACCEPT | |
| -A SIPINVITE -m limit --limit 10/min -j LOG --log-prefix "SIPINV DROP: " | |
| -A SIPINVITE -m comment --comment "Rate limit exceeded, reject" -j REJECT | |
| # | |
| -A SIPREGISTER -m hashlimit --hashlimit-upto 6/hour --hashlimit-burst 6 --hashlimit-mode srcip,dstip,dstport --hashlimit-name anon-sip-ratereg --hashlimit-srcmask 24 -m comment --comment "Rate limit SIP registers" -j ACCEPT | |
| -A SIPREGISTER -m limit --limit 10/min -j LOG --log-prefix "SIPREG DROP: " | |
| -A SIPREGISTER -m comment --comment "Rate limit exceeded, reject" -j REJECT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment