TIPS add-ip Proper Use

[Ted Thomas]

I just installed the 13.2 Iso and have started testing move my existing pbxinaflash over to this new version.

I am having one-way audio issues when testing the softphone and also SSH from outside my router. I tried to add the following two IP address to the firewall using add-id and believe the addresses did not get added properly.

/root/add-ip mypc 192.168.0.15 I selected Option 0 (for ALL)
/root/add-ip router 192.168.0.1 I selected Option 8 (for SSH)

The following is the response I received after the add-ip was process.

The following whitelisted services were requested for 192.168.0.1:
SSH
iptables-persistent: unrecognized service
IP address successfully added to WhiteList.
 
To display current iptables rules in effect for this IP address,  press Enter.
The following iptables rules now are in effect for 192.168.0.1:

I see that a file is created at the roof director for each of the add-ip's that I ran. Both files are empty. Did I run the add-ip script correctly?

 

[ostridge]

Hi,
On the install for my Pi2 Ast11 I was asked to input the client ip (your .0.1) for myPC. I don't have a record for an addedIP
For IPv4 The IP information gets put into

/etc/iptables/rules.v4

To check what YOU have in that file; use the following code (the backslashes are to "Escape" "." and treat as text)

root@pi2:~# grep "192\.168\." /etc/iptables/rules.v4
-A INPUT -s 192.168.0.15 -j ACCEPT
-A INPUT -s 192.168.0.1 -j ACCEPT

You should get something likeoutput above

You mention setting option ALL for your routerIP - that is dangerous when you normally only need udp; BUT for myPC you might as well use option ALL unless your server is not in a controlled local place behinD the usual HARDWARE FIREWALL.

If you used add-ip mypc 192.168.0.15 then you have a file called ~/mypc.iptables the content of which is 3 bytes pretty-much nothing.
TIP: I find it easier to use the name starting ip-* to keep the ips together in the ls listing.

If you SSH from outside the router the IP address that you come in on is NORMALLY from your externdevice over internet to externIP, and not from your myip address; in that case you need an add-ip for your externdeviceIP or add-fqdn.
Note to read ~/knock.FAQ

Lastly -Caution unless you know what you are doing don't edit /etc/iptables/rules.v4
; though you can read the content

cat /etc/iptables/rules.v4

 

[Ted Thomas]

Thanks for your help. I have been experimenting trying solve my issues.

I searched the entire drive and did not find any files *.v4

However, I did find a file /etc/sysconfig/iptables that had entries for the PC and my router.

# // New entry for router.iptables
-A INPUT -p tcp -m multiport -s 192.168.0.1 --dports 22,9022 -j ACCEPT
# // End entry for router.iptables
# // New entry for mypc.iptables
-A INPUT -s 192.168.0.15 -j ACCEPT
# // End entry for mypc.iptables

From your information above, the files created in the root from running ip-add are EMPTY. I can see the files and see that they are empty. I looked at the files and expected to see something in them.

Opening port 22 on the router (192.168.0.1) had no effect on being able to SSH into the server from outside my router. I still had to knock to get the server to accept the ssh. I only open up port 22 on my router when I need outside support. I understand now that the knock temporarily adds the external ip address so I can SSH.

Thanks for your help.

 

[ostridge]

Thanks for your help. I have been experimenting trying solve my issues.
I searched the entire drive and did not find any files *.v4
However, I did find a file /etc/sysconfig/iptables that had ......

Oh sorry different platform or something. You need to paste the result from

status

which gives info about your OS , Asterisk; FreePBX, Incredible or piaf versions of same and which GUI - so help can be hopefully more relevant.
Consequently /etc/iptables/* is probably the wrong place, or maybe travelinman3 not installed see http://nerdvittles.com/?p=815.

Regarding the files you create I hope you cracked this by now but if not -.... with

add-ip

theaccouint files created are indeed pretty much empty
for example:
root@pi2:~# ls -Al ip-*
-rw-r--r-- 1 root root 2 Aug 3 17:11 ip-sip2sip1.iptables
-rw-r--r-- 1 root root 2 Aug 3 17:13 ip-sip2sip2.iptables
-rw-r--r-- 1 root root 2 Aug 3 17:14 ip-sip2sip3.iptables

Contrast that using same example provider - with
root@pi2:~# ls -Al fq-*
-rw-r--r-- 1 root root 27 Aug 3 17:01 fq-sip2sip.iptables
root@pi2:~#
root@pi2:~# cat fq-sip2sip.iptables
sip2sip.info 81.23.228.140

Very approximately:-
For add-fqdn the added info gets lost on save / reload or something and when restarted the account file <fq-provider>.iptables gets parsed and the fqdn validated on internet before being added.
For add-ip the file is saved as a record and the ip is added both to iptables in memory as well as to rules.v4 (for ipv4 address)
I think the info is documented in http://nerdvittles.com/?p=815 if not try 'man iptables' without quotes.