Puppet Firewall string rate limiting not working for Asterisk

Question

I have an Ubuntu 16.04 server and using Puppet 5 with Asterisk 14.6.0 running. I'm trying to implement the string rate limiting rules as described in the link below but it's not working. The CLI console is showing rapid scripted REGISTER requests. Note also the single quote inside the double quote in the string parameter.

https://www.voip-info.org/asterisk-firewall-rules

Here is my puppet manifest:

  firewall { "005 asterisk-set-rate-limit-register":
     dport       => '5060',
     proto       => 'udp',
     recent      => 'set',
     rname       => 'VOIPREGISTER',
     string      => 'REGISTER sip:',
     string_algo => 'bm',
     rsource     => 'true';
  }
  firewall { "006 asterisk-drop-rate-limit-register":
     dport       => '5060',
     proto       => 'udp',
     action      => 'drop',
     recent      => 'update',
     rseconds    => '600',
     rhitcount   => '5',
     rname       => 'VOIPREGISTER',
     rsource     => true,
     string      => 'REGISTER sip:',
     string_algo => 'bm',
     rttl        => true;
  }
  firewall { "007 asterisk-set-rate-limit-invite":
     string      => 'INVITE sip:',
     string_algo => 'bm',
     dport       => '5060',
     proto       => 'udp',
     recent      => 'set',
     rname       => 'VOIPINVITE',
     rsource     => 'true';
  }
  firewall { "008 asterisk-drop-rate-limit-invite":
     string      => 'INVITE sip:',
     string_algo => 'bm',
     dport       => '5060',
     proto       => 'udp',
     action      => 'drop',
     recent      => 'update',
     rseconds    => '600',
     rhitcount   => '5',
     rname       => 'VOIPINVITE',
     rsource     => true,
     rttl        => true;
  }

These are the resulting iptables rules

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

-A INPUT -p udp -m multiport --dports 5060 -m recent --set --name VOIPREGISTER --mask 255.255.255.255 --rsource -m string --string "'REGISTER sip:'" --algo bm --to 65535 -m comment --comment "005 asterisk-set-rate-limit-register"

-A INPUT -p udp -m multiport --dports 5060 -m recent --update --seconds 600 --hitcount 5 --rttl --name VOIPREGISTER --mask 255.255.255.255 --rsource -m string --string "'REGISTER sip:'" --algo bm --to 65535 -m comment --comment "006 asterisk-drop-rate-limit-register" -j DROP

-A INPUT -p udp -m multiport --dports 5060 -m recent --set --name VOIPINVITE --mask 255.255.255.255 --rsource -m string --string "'INVITE sip:'" --algo bm --to 65535 -m comment --comment "007 asterisk-set-rate-limit-invite"

-A INPUT -p udp -m multiport --dports 5060 -m recent --update --seconds 600 --hitcount 5 --rttl --name VOIPINVITE --mask 255.255.255.255 --rsource -m string --string "'INVITE sip:'" --algo bm --to 65535 -m comment --comment "008 asterisk-drop-rate-limit-invite" -j DROP

Leo Gallego · Answer 1 · 2018-07-05T05:14:52.067

0

Are you using the puppet firewall module?

Did you install it with:

puppet module install puppetlabs-firewall --version 1.12.0

And did you enable it with:

mod 'puppetlabs-firewall', '1.12.0'

Seeing that your module starts at 005 I'm guessing you did a few rules before that, you should post everything related to the firewall.

update

According to your comment, and checking the documentation for the firewall module and your iptables rules, you might be getting your set appended (that's the -A) to others overriding your settings.

List all your rules with iptables --list and paste them in your question inside a code block please.

edited Jul 05 '18 at 05:14

answered Jul 03 '18 at 06:10

Leo Gallego

1,893
9
17

The puppet firewall is working on approx 30 servers although I did not install it. There are no rules before the ones I set. The first rules are as shown. – markhorrocks Jul 03 '18 at 15:26

Puppet Firewall string rate limiting not working for Asterisk

1 Answers1

update