Iptables SIP Rate-Limiting

[dcitelecom]

Does anyone have any experience with the iptables SIP rate limiter posted on the freeswitch side?

Security | FreeSWITCH Documentation

About

freeswitch.org

I tried adding it to my iptables but it doesn't seem to be working. My network interface name is "enp1s0" so I use that instead of the generic "eth0" posted below but no extensions can register after I add this code to the firewall.
..
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 5060 -m limit --limit 6/s --limit-burst 10 -i enp1s0 -j REJECT
-A INPUT -p udp --dport 5080 -m limit --limit 6/s --limit-burst 10 -i enp1s0 -j REJECT
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
..

 

[DigitalDaz]

This is not necessary, we have fail2ban in place that already does similar.

 

[Adrian Fretwell]

Fail2ban does offer a lot of additional protection but you will still, generally speaking, need rate limits for protection against a flood of OPTIONS pings or STUN requests or similar, depending on what you run.

Can't remember the syntax off the top of my head but you can rate limit against individual IPs (and log) which can be more helpful than a blanket rate limit.

This is how I rate limit STUN requests using nftables:

#!/usr/sbin/nft -f

flush ruleset
define stun_port = 3478

table inet filter {
    counter stun-ipv4-requests {
        comment "Number of IPv4 STUN requests received"
    }
    ...
    chain inbound_ipv4 {
        ...
        udp dport $stun_port limit rate 10/second counter name stun-ipv4-requests accept
        ...
    }
...
}