Помогите разобраться с правилом iptables

вот рабочий кусок. там в конце можете посмотреть как считается.

#!/bin/sh
#
# SIP DoS mitigation script using Linux iptables/netfilter
# WILL NOT WORK WITH SIP TLS, FOR OBVIOUS REASONS...

# Copyright 2008 Kristian Kielhofner <kkielhofner@star2star.com>
# changed by arheops@gmail.com 2011
# This program is distributed under the terms of the GNU Public License V2
#
# TODO: Use the state module for TCP (maybe even UDP)?
# TODO: Evaluate string matching algorithms and offsets
# TODO: Better matching for URIs (support tel:)?
# TODO: Tweak and/or provide configuration for hashlimit expires and bursts
# TODO: Support configuration of INVITE/REGISTER/etc limits and methods
# TODO: Don't always clear INPUT/FORWARD tables - allow for other rulesets
# TODO: Testing?

# INVITE rate, per host.  Remember a successful (authenticated) call requires 2 INVITEs-
# Initial INVITE, 407 auth required (w/ nonce), INVITE with nonce and authentication.
IRATE=50/minute

# REGISTER rate, per host.
RRATE=10/minute

# All other SIP methods rate, per host.  Be careful with SUBSCRIBEs, OPTIONS, CANCELs, etc.
ORATE=60/minute

# Methods for this script to ignore.  These SIP methods are always allowed.
IGMETH="OPTIONS NOTIFY"

# Burst
BURST=20

# Interface(s) to protect on INPUT. Seperate multiple interfaces with spaces.
# This will protect SIP services on THIS HOST.
IFACE="eth0"

# Reject/drop action - usually something like DROP or REJECT.
# Use ACCEPT to use this script to not filter traffic but still collect statistics.
DACTION=DROP

# Protocol(s) to filter - can be either tcp or udp or both. Seperate multiples with spaces.
PROTOCOLS="udp"

# Enable logging.
LOG=YES

# Block tel: URIs completely?
# P.S. - tel: sucks!
BLOCKTEL=yes

# Interface(s) to protect on FORWARD. Seperate multiple interfaces with spaces.
# The same hashtable will protect the entire network from the same host(s).
# Destination IP is NOT taken into consideration.
# This will protect any SIP services running on the network that uses this machine
# as a router (as long as you get the interfaces right).
FIFACE="eth0"

# Location of iptables binary.
IPTABLES=`which iptables`

# Search packet to this location. A larger offset looks further into the packet
# and takes more time but could catch more attacks (and false alarms).
# Remember, the method to match on is always in the beginning of the packet.
OFFSET=65

# SIP port
SPORT=5060

SSHPORT=22

if [ ! "$1" ]
then
echo "SIP DoS/DDoS mitigation script for iptables
See top of script for configuration

Usage:
$0 [start|stop|status]"
exit 1
fi

if [ "$1" = "status" ]
then
$IPTABLES -L -v -n
exit
fi

# Setup iptables
for i in sipdos sshdos whitelist blacklist sipdosregister sipdosinvite fail2ban-sip
do
$IPTABLES -F $i 2> /dev/null
$IPTABLES -X $i 2> /dev/null
$IPTABLES -N $i 2> /dev/null
done;

if [ "$1" = "stop" ]
then
echo "Clearing iptables rules..."
if [ "$FIFACE" ]
then
$IPTABLES -F FORWARD 2> /dev/null
fi
$IPTABLES -F INPUT 2> /dev/null
exit
fi

# Send the right traffic through our chain
for i in $IFACE
do
for l in $PROTOCOLS
do
$IPTABLES -D INPUT -i $i -m $l -p $l --dport $SPORT -j sipdos 2>/dev/null
$IPTABLES -D INPUT -i $i -m $l -p $l --dport $SPORT -j sipdos 2>/dev/null
$IPTABLES -A INPUT -i $i -m $l -p $l --dport $SPORT -j sipdos
done
done

# Send the right forwarded traffic through our chain
if [ "$FIFACE" ]
then
for j in $FIFACE
do
for l in $PROTOCOLS
do
$IPTABLES -D INPUT  -m $l -p $l --dport $SPORT -j sipdos
$IPTABLES -I INPUT  -m $l -p $l --dport $SPORT -j sipdos
done
done
fi

for i in `cat /etc/block/blacklist`
do
$IPTABLES -I blacklist -s $i -j REJECT --reject-with icmp-host-unreachable

done;

for i in `cat /etc/block/whitelist`
do
$IPTABLES -A whitelist -s $i -j ACCEPT
$IPTABLES -A whitelist -d $i -j ACCEPT
done;

$IPTABLES -A whitelist -s 78.47.159.176/28       -j ACCEPT

$IPTABLES -A sipdos -j fail2ban-sip
$IPTABLES -A sipdos -j blacklist
$IPTABLES -A sipdos -j whitelist

# "Handle" tel: URIs
if [ "$BLOCKTEL" ]
then
$IPTABLES -A sipdos -m string --string "tel:" --algo bm --to $OFFSET -j $DACTION
fi

# Ignore certain (configured) methods
if [ "$IGMETH" ]
then
for k in $IGMETH
do
$IPTABLES -A sipdos -m string --string "$k sip:" --algo bm --to $OFFSET -j ACCEPT
done
fi

# Finally set some limits...

# INVITE limit
$IPTABLES -A sipdos -m string --string "INVITE sip:" --algo bm --to $OFFSET -j sipdosinvite

$IPTABLES -A sipdosinvite \
-m hashlimit --hashlimit $IRATE --hashlimit-burst $BURST \
--hashlimit-mode srcip,dstport --hashlimit-name sip_i_limit -j ACCEPT

# REGISTER limit
$IPTABLES -A sipdos -m string --string "REGISTER sip:" --algo bm --to $OFFSET -j sipdosregister

$IPTABLES -A sipdosregister \
-m hashlimit --hashlimit $RRATE --hashlimit-burst $BURST \
--hashlimit-mode srcip,dstport --hashlimit-name sip_r_limit -j ACCEPT

# All other SIP packets...
$IPTABLES -A sipdos -m hashlimit --hashlimit $ORATE --hashlimit-burst $BURST \
  --hashlimit-mode srcip,dstport --hashlimit-name sip_o_limit -j ACCEPT



# Take action on everything else
if [ $LOG ]
then
$IPTABLES -A sipdosregister -j LOG --log-prefix SIP_TO_MANY
$IPTABLES -A sipdosinvite -j LOG --log-prefix SIP_TO_MANY
fi

$IPTABLES -A sipdosregister -j $DACTION
$IPTABLES -A sipdosinvite -j $DACTION

Прежде чем начинать работать с iptables посоветую зайти на www.opennet.ru Там есть очень много примеров.

Сделайте следующее:

1. создайте фаил с именем iptables.ok

2. скопируйте следующее в этот фаил (может вам нужно видоизменить даный код)

       # Generated by iptables-save v1.4.2 on Tue Nov 16 10:00:55 2010
   *filter
   :INPUT ACCEPT [0:0]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [0:0]
   :SCAMBLOCK - [0:0]
   
   # Jump to SCAMBLOCK chain to check connection to 5060 udp port
   -A INPUT -p udp —dport 5060 -j SCAMBLOCK
   
   # Returning after SCAMBLOCK chain
   -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "SYN Not New:"
   -A INPUT -p tcp -m tcp ! --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
   -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
   -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Packet died: " --log-level 7
   -A INPUT -p icmp -m icmp --icmp-type 8 -m length --length 128:65535 -j LOG --log-prefix "ICMP Oversize:" --log-level 7
   -A INPUT -p icmp -m icmp --icmp-type 8 -m length --length 128:65535 -j REJECT --reject-with icmp-port-unreachable
   -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec -j ACCEPT
   -A INPUT -p icmp -f -j LOG --log-prefix "ICMP Fagment:"
   -A INPUT -p icmp -f -j REJECT --reject-with icmp-port-unreachable
   -A INPUT -p tcp -m tcp --dport 3306 -j LOG --log-prefix "TCP Try connect MySQL server:"
   -A INPUT -p tcp -m tcp --dport 3306 -j REJECT --reject-with icmp-host-prohibited
   -A INPUT -p udp -m udp --dport 3306 -j LOG --log-prefix "UDP Try connect MySQL server:"
   -A INPUT -p udp -m udp --dport 3306 -j REJECT --reject-with icmp-host-prohibited
   -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
   -A INPUT -j DROP
   
   #SCAMBLOCK chain for cheking udp 5060 port
   -A SCAMBLOCK -p udp —dport 5060 -m recent —set —name SIP
   -A SCAMBLOCK -p udp —dport 5060 -m recent —update —seconds 2 —hitcount 60 —name SIP -j LOG —log-prefix «SIP flood detected:»
   -A SCAMBLOCK -p udp —dport 5060 -m recent —update —seconds 2 —hitcount 60 —name SIP -j REJECT --reject-with icmp-port-unreachable
   #Return to INPUT chain
   -A SCAMBLOCK -j RETURN
   COMMIT
   # Completed on Tue Nov 16 10:00:55 2010
   

3. потом iptables-restore < <имя файла>

4. я прописал это "iptables-restore < <имя файла>" в rc.local. У меня Дебиян.

Посмотрите в сторону fail2ban. Про него много написано и под разные Linux дистрибутивы