[asterisk-users] Using Firewall to protect Asterisk

Dave Platt dplatt at radagast.org
Fri Jul 15 13:19:47 CDT 2011 

>> > I need to keep out all connection from 5 countries, which originate
>> > most of the Denial of Service attacks. The entries are around 9000 if
>> > used as xx.xx.0.0/16. I heard that there is a smarter way to do this
>> > by using User Tables in iptables, that will keep the speed equal to
>> > LOG(x). I already tried using  a straight list and it kills the box.

Yeah, it would - running through 9000 separate rules for each packet
would be prohibitive.

>> > Unless a smarter way us found, there is no way to use iptables.

Ideally, what you'd want to do is to somehow "pre-load" one of the
really efficient matching modules in iptables (e.g. a hash table)
with a list of the network numbers in question, and then be able
to do a fast hashed lookup using each incoming packet's upper 16
bits... a hit in the table would indicate a reject, a miss would
mean that the packet was OK for further inspection and processing.

It looks to me as if there *is* a way to do this, but may require
adding an iptables/netfilter module that is not part of the standard
distribution.  It's called the "set" module.

Take a look at

   http://ipset.netfilter.org/

and I think you'll like what you see... it'll do what you want.

Briefly, you'll need to:

-  Build this module for your kernel, and load it
-  Use the "ipset" command to create an IP-address set, and
   populate it with the 9000 different /16 entries you want to
   match against.  I think the "ipmap" type is what you would
   want, as this can store up to 65536 entries and uses a single
   bit for each same-sized address range... lookup time would
   be constant.  "iphash" is another possibility.
-  Use a single "iptables" rule to match incoming packets against
   this set.

> iptables is just a user-space configuration interface to the Linux 
> kernel netfilter.  The netfilter uses complex hash tables and other data 
> structures to ensure that packet forwarding rules are looked up in as 
> close to O(1) as possible, not even LOG(n)--LOG(n) would be way too 
> expensive.
> 
> Other than conventional Cisco router access lists (notwithstanding 
> compiled lists an TurboACL), I don't know of any other packet filter in 
> the universe that does not do similarly.  No packet filter would apply a 
> flat list, not the Linux netfilter, not the BSD packet filter, not even 
> Windows.

The trick is using the right filtering approach.

Doing it the naive way (one separate iptables rule per /16) would
indeed kill the system's performance pretty badly.

The right approach which will work, is one which can match incoming
addresses against a complex set of yes/no criteria in constant or
near-constant time.  I don't believe that the standard "iptables"
distribution contains a module which can do this... but the "ipset"
extension module can, and is probably what the original poster wants.

I may have to play around with this approach myself.  Federico,
do you mind if I ask which countries you're blocking, and
which source you used to locate the /16 blocks in question?

More information about the asterisk-users mailing list