<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
I think that you need add some changes in the RULE sentence or add some other, <BR>
<BR>
iptables -I INPUT -p TCP -s 87.230.90.5 --dport 5060 -j REJECT ( yes need the -j)<BR>
<BR>
former needs the -j in any rules this tell iptables modules to which target JUMP when the condition was matched or satisfied.<BR>
<BR>
on this rule you are telling to iptables that all the packets coming from this source ip, and having TCP protocol pointed to destinatio port <BR>
must jump to ----------> other module or action .. inthis case REJECT or DROP or to a custom CHAIN ( i.e. BADGUYS ) where you specifiy new rules to "treat" to the badguys"<BR>
<BR>
said this, some suggestions follows....<BR>
<BR>
<BR>
<BR>
1) change "-A INPUT" for "-I INPUT" so the rule will be inserted at the top , avoiding travel trough other rules with not any sense :-) , must hurry to block the enemy!!!! <BR>
<BR>
2) change -p tcp ( must be in lower case) for -p all ( if your version support it, or insert two rules one for "udp" other for "tcp" if you PBX accept registration on tcp conn,, or just don't put anything in the protcol parameter , iptables -I INPUT -s 87.230.90.5 -j REJECT it must block any packet from this source don't care protocl or port,) check you conf for sip. to know if you acceppt registration on TCP , former asterisk version (1.4 or lower DON'T )<BR>
<BR>
3) change REJECT ( this create outgoing trafiic replying "rejected" ) by DROP ( just left the packet on the floor :-) )<BR>
<BR>
4) add -i ethX if you have more than one Ethertnet o network adapter , ( means on which device to apply the filter ) more efective , less charge to SPI the packet <BR>
<BR>
<BR>
5) if you have one router/Bridge ( brX inteface on linux box for QoS, br is made with two or more interfaces "bridged" at layer 2 ) and / or your have enable forwarding between two interfaces, some rule also must be applied to FORWARD chain , or the OUTPUT chain inthe interface that connect to youur PBX regarding the source ip addres -s 87.230.90.5 to avoid outgoing traffic from this source to your PBX , beacuse INPUT ONLY APPLIES TO THOSE PACKET THAT GO INTO THE BOX , NOT FOR passtrough o forward... be carefull with that<BR>
<BR>
once you have write the filter can check if it working using "iptables -L -vn" this shows up the packets that match in the rules <BR>
<BR>
example follow <BR>
<BR>
log]# iptables -L -vn<BR>
<BR>
prints something like this <BR>
<BR>
<BR>
<BR>Chain INPUT (policy ACCEPT 16M packets, 1614M bytes)<BR> pkts bytes target prot opt in out source destination<BR> 1 144 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1712:1720<BR> 0 0 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1712:1720<BR> 20 824 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306<BR> 252 13772 DROP tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22<BR><BR>
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<BR> pkts bytes target prot opt in out source destination<BR>
<BR>
Chain OUTPUT (policy ACCEPT 17M packets, 1958M bytes)<BR> pkts bytes target prot opt in out source destination<BR><BR>
<BR>
note here i block h323 ports , ssh and MySQL from any source <BR>
from any in interface eth1, and like can see bttom there a listiong for the other CHAINS<BR>
<BR>
<BR>
i hope that i was helpfull for you .<BR>
<BR>
i appologize for extesion :-) , but if it could help .<BR>
<BR>
Marcos<BR>
<BR> <br /><hr />No importa si es pesado o liviano. Con Hotmail Skydrive tenés 25 GB para guardar todo. <a href='http://www.descubrehotmail.com/almacenamiento.asp ' target='_new'>Clic aquí</a></body>
</html>