My System Info:
CentOS Linux release 7.9.2009 (Core)
firewall-cmd v0.6.3
iptables v1.4.21
Kernel 3.10.0-1160.25.1.el7.x86_64
It is running Asterisk v18.4.0 PBX with PJSIP. My carier send too much SIP INVITE packets per second, say 20 calls per second from their VOS3000 softswitch. Most of them get congested (SIP 503) in my outgoing endpoint (e.g. only 2 of the 20 calls get ringing status).
It causes very high CPU usage as I am using PHP AGI (FastAGI) for each incoming call as well as when the call hang-up.
Now, I want to limit SIP INVITE packets using firewalld. Say, I want max 3 INVITE per second; I run
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p udp --dport 5060 -m string --algo bm --string "INVITE sip:" -m hashlimit --hashlimit-above 3/sec --hashlimit-mode dstport --hashlimit-name sip -j REJECT --reject-with icmp-port-unreachable
firewall-cmd --reload
Above commands succeed but it does not work. I send 20 calls per second using SIPp from an external host and I see more than 900 calls per minute hit my Asterisk PBX.
Also running tcpdump -i any -nn icmp in the server does not show any ICMP unreachable message for port 5060.
