From 9da2e90728addb85c5b7df30866836eb29d131ea Mon Sep 17 00:00:00 2001
From: mafoo <github@mafoo.org>
Date: Wed, 25 May 2016 11:45:58 +0100
Subject: [PATCH] Updated iptables rules to make dropping known bots easier

included ssl ports as well
added comments to rules where appropriate
---
 debian/resources/iptables.sh | 32 +++++++++++++-------------------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/debian/resources/iptables.sh b/debian/resources/iptables.sh
index 5d3e6cb..44ab9c0 100644
--- a/debian/resources/iptables.sh
+++ b/debian/resources/iptables.sh
@@ -4,26 +4,20 @@
 echo "Configure IPTables"
 
 #run iptables commands
-iptables -A INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
-iptables -A INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli/" --algo bm
-iptables -A INPUT -j DROP -p tcp --dport 5060 -m string --string "friendly-scanner" --algo bm
-iptables -A INPUT -j DROP -p tcp --dport 5060 -m string --string "sipcli/" --algo bm
-iptables -A INPUT -j DROP -p udp --dport 5080 -m string --string "friendly-scanner" --algo bm
-iptables -A INPUT -j DROP -p udp --dport 5080 -m string --string "sipcli/" --algo bm
-iptables -A INPUT -j DROP -p tcp --dport 5080 -m string --string "friendly-scanner" --algo bm
-iptables -A INPUT -j DROP -p tcp --dport 5080 -m string --string "sipcli/" --algo bm
+iptables -N sip
+iptables -A sip -j DROP -m string --string "friendly-scanner" --algo bm
+iptables -A sip -j DROP -m string --string "sipcli/" --algo bm
+iptables -A sip -j ACCEPT
 iptables -A INPUT -i lo -j ACCEPT
-iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-iptables -A INPUT -p tcp --dport 22 -j ACCEPT
-iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-iptables -A INPUT -p tcp --dport 443 -j ACCEPT
-iptables -A INPUT -p tcp --dport 5060 -j ACCEPT
-iptables -A INPUT -p udp --dport 5060 -j ACCEPT
-iptables -A INPUT -p tcp --dport 5080 -j ACCEPT
-iptables -A INPUT -p udp --dport 5080 -j ACCEPT
-iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
-iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-iptables -A INPUT -p udp --dport 1194 -j ACCEPT
+iptables -A INPUT -j sip -p tcp -m multiport --dports 5060,5061,5080,5081 -m comment --comment "SIP tcp"
+iptables -A INPUT -j sip -p udp -m multiport --dports 5060,5061,5080,5081 -m comment --comment "SIP udp"
+iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
+iptables -A INPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "ssh"
+iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "http"
+iptables -A INPUT -j ACCEPT -p tcp --dport 443 -m comment --comment "https"
+iptables -A INPUT -j ACCEPT -p udp --dport 16384:32768 -m comment --comment "SIP RTP"
+iptables -A INPUT -j ACCEPT -p icmp --icmp-type echo-request
+iptables -A INPUT -j ACCEPT -p udp --dport 1194 -m comment --comment "OpenVPN"
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT