Différences

Ci-dessous, les différences entre deux révisions de la page.

--- mikrotikvoip:mikrotik_voip_script [2019/04/24 09:38] – créée ghusson
+++ mikrotikvoip:mikrotik_voip_script [2019/04/27 12:27] (Version actuelle) – ghusson
@@ Ligne 8: / Ligne 8: @@
 #   - set variables corresponding to your installation                 #
 #   - run the script                                                   #
-#   - move the lasts two rules fo the firewall filter rules where it   #
+#   - move the firewall rules in firewall filter rules where it        #
 #     shoud be                                                         #
 ########################################################################
-# Initialise variables
-:global internalIp;
-:global internalInterface;
-:global externalIp;
-:global externalInterface;
-:global voipHttpsPort;
-:global voipHttpPort;
-:global voipSIPPort;
-:global voipSIPsPort;
-:global voipTunnelPort;
-:global voipMediaPort;
-:global initialNatRulesPosition;
 # Set variables (change them !!!!)
-:set internalIp "192.168.0.10";
+:global internalIp "192.168.0.10";
-:set internalInterface "bridge-internal";
+:global internalInterface "bridge-internal";
-:set externalIp "1.2.3.4";
+:global externalIp "1.2.3.4";
-:set externalInterface "bridge-internet";
+:global externalInterface "bridge-internet";
-:set voipHttpsPort 443;
+:global voipHttpsPort 443;
-:set voipHttpPort 80;
+:global voipHttpPort 80;
-:set voipSIPPort 5060;
+:global voipSIPPort 5060;
-:set voipSIPsPort ($voipSIPPort + 1);
+:global voipSIPsPort ($voipSIPPort + 1);
-:set voipTunnelPort 5090;
+:global voipTunnelPort 5090;
-:set voipMediaPort "9000-10999";
+:global voipMediaPort "9000-10999";
-:set initialNatRulesPosition 0;
+:global initialNatRulesPosition 0;
 # Clean previously defined rules
@@ Ligne 46: / Ligne 32: @@
 /ip firewall service-port disable sip
-# set NAT rules
+# Set NAT rules (they have to be before any masquerading rule)
 /ip firewall nat add action=dst-nat \
     chain=dstnat \
@@ Ligne 70: / Ligne 56: @@
     place-before=$initialNatRulesPosition \
     comment="VoIP TCP - OUT, symetric NAT  (#VOIPscript)"
 /ip firewall nat add action=dst-nat \
@@ Ligne 95: / Ligne 80: @@
     place-before=$initialNatRulesPosition \
     comment="VoIP UDP - OUT, symetric NAT  (#VOIPscript)"
 # Set firewall filter rules
@@ Ligne 117: / Ligne 101: @@
     log-prefix=voip-in \
     comment="Internet -> VoIP server - UDP  (#VOIPscript)"
+# Add drop rule for IP that have been added to "blacklist-sip"
+# address list
+/ip firewall filter add action=drop \
+  chain=forward \
+  src-address-list=blacklist-sip \
+  comment="blacklist-sip DROP (#VOIPscript)" \
+# Add drop rule for IP that have been added to "blacklist-3cxtunnel"
+# address list
+/ip firewall filter add action=drop \
+  chain=forward \
+  src-address-list=blacklist-3cxtunnel \
+  comment="blacklist-3cxtunnel DROP (#VOIPscript)"
+# Add an IP to "sip-blacklist" address list, based on connection
+# number (max 10 SIP sessions per IP) and packet rate (max 100 packets
+# in 1mn) - adapt it to your field use.
+/ip firewall filter add action=add-src-to-address-list \
+  chain=forward \
+  protocol=udp \
+  dst-port=5060 \
+  connection-limit=10,32 \
+  connection-state=invalid,new,untracked \
+  limit=100/1m,0:packet \
+  address-list=blacklist-sip \
+  address-list-timeout=3h \
+  log=yes \
+  log-prefix=hacker-sip \
+  comment="Add SIP hacker IP to blacklist-sip (#VOIPscript)"
+# Add an IP to "blacklist-3cxtunnel" address list, based on connection
+# rate (max 4 tunnels per IP) - adapt it to your field use.
+/ip firewall filter add action=add-src-to-address-list \
+  chain=forward \
+  protocol=udp \
+  dst-port=5060 \
+  connection-limit=4,32 \
+  connection-state=invalid,new,untracked \
+  address-list=blacklist-3cxtunnel \
+  address-list-timeout=3h \
+  log=yes \
+  log-prefix=hacker-3cxtnl \
+  comment="Add SIP hacker IP to iblacklist-3cxtunnel (#VOIPscript)"
+# Reference documentation for connection-limit and limit:
+#   https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter
+# connection-limit: Matches connections per address or address block
+#   up to and including given value. Should be used together with
+#   connection-state=new and/or with tcp-flags=syn because matcher is
+#   very resource intensive.
+# limit (integer,time,integer; Default: ): Matches packets up to a
+#   limited rate (packet rate or bit rate). Rule using this matcher will
+#   match until this limit is reached. Parameters are written in
+#   following format: count[/time],burst:mode.
+#   * count: packet or bit count per time interval to match
+#   * time: specifies the time interval in which the packet or bit count
+#       cannot be exceeded (optional, 1s will be used if not specified)
+#   * burst: initial number of packets or bits to match: this number
+#       gets recharged every 10ms so burst should be at least 1/100
+#       of rate per second
+#   * mode: packet or bit mode
 # Clean variables