#StackBounty: #ubuntu #puppet #asterisk Puppet Firewall string rate limiting not working for Asterisk

Bounty: 50

I have an Ubuntu 16.04 server and using Puppet 5 with Asterisk 14.6.0 running. I’m trying to implement the string rate limiting rules as described in the link below but it’s not working. The CLI console is showing rapid scripted REGISTER requests. Note also the single quote inside the double quote in the string parameter.

https://www.voip-info.org/asterisk-firewall-rules

Here is my puppet manifest:

  firewall { "005 asterisk-set-rate-limit-register":
     dport       => '5060',
     proto       => 'udp',
     recent      => 'set',
     rname       => 'VOIPREGISTER',
     string      => 'REGISTER sip:',
     string_algo => 'bm',
     rsource     => 'true';
  }
  firewall { "006 asterisk-drop-rate-limit-register":
     dport       => '5060',
     proto       => 'udp',
     action      => 'drop',
     recent      => 'update',
     rseconds    => '600',
     rhitcount   => '5',
     rname       => 'VOIPREGISTER',
     rsource     => true,
     string      => 'REGISTER sip:',
     string_algo => 'bm',
     rttl        => true;
  }
  firewall { "007 asterisk-set-rate-limit-invite":
     string      => 'INVITE sip:',
     string_algo => 'bm',
     dport       => '5060',
     proto       => 'udp',
     recent      => 'set',
     rname       => 'VOIPINVITE',
     rsource     => 'true';
  }
  firewall { "008 asterisk-drop-rate-limit-invite":
     string      => 'INVITE sip:',
     string_algo => 'bm',
     dport       => '5060',
     proto       => 'udp',
     action      => 'drop',
     recent      => 'update',
     rseconds    => '600',
     rhitcount   => '5',
     rname       => 'VOIPINVITE',
     rsource     => true,
     rttl        => true;
  }

These are the resulting iptables rules

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-A INPUT -p udp -m multiport –dports 5060 -m recent –set –name VOIPREGISTER –mask 255.255.255.255 –rsource -m string –string
“‘REGISTER sip:'” –algo bm –to 65535 -m comment –comment “005
asterisk-set-rate-limit-register”

-A INPUT -p udp -m multiport –dports 5060 -m recent –update –seconds 600 –hitcount 5 –rttl –name VOIPREGISTER –mask 255.255.255.255 –rsource -m string –string “‘REGISTER sip:'” –algo bm –to 65535 -m comment –comment “006
asterisk-drop-rate-limit-register” -j DROP

-A INPUT -p udp -m multiport –dports 5060 -m recent –set –name VOIPINVITE –mask 255.255.255.255 –rsource -m string –string
“‘INVITE sip:'” –algo bm –to 65535 -m comment –comment “007
asterisk-set-rate-limit-invite”

-A INPUT -p udp -m multiport –dports 5060 -m recent –update –seconds 600 –hitcount 5 –rttl –name VOIPINVITE –mask 255.255.255.255 –rsource -m string –string “‘INVITE sip:'” –algo bm –to 65535 -m comment –comment “008 asterisk-drop-rate-limit-invite” -j DROP


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.