SOLVED IncrediblePi (3.11.12) Update 25

[RPi-Fan]

Ward,

Update 25 consisted of the following:

cp /etc/iptables/rules.v4.raspbian /etc/iptables/rules.v4
service iptables restart

Following this (and rebooting), iptables -nL displays rules that match /etc/network/iptables (not /etc/iptables/rules.v4).

What was the purpose of update 25 and what is /etc/iptables/rules.v4 used for since it appears /etc/network/iptables is the source of rules for iptables?

Thanks,
Ron

 

[wardmundy]

Rules in /etc/iptables/rules.v4 should control. IPtables implementation in Ubuntu/Debian is quirky to put it charitably. Fixed in update 26. Thanks.

 

[RPi-Fan]

Thanks for update26.

A follow-on question or two...

1. add-fqdn was not provided with IncrediblePi 3.11.12. Does this imply FQDN's should no longer be used?

2. The ipchecker supplied with IncrediblePi 3.11.12 is a very old version (1.0 vs 1.3). Does this imply FQDN's should no longer be used?

One reason much of this is confusing is that the iptables files provided with IncrediblePi 3.11.12 are different from those contained in travelinman3.tar.gz despite them both claiming to be v1.3.

Thanks,
Ron

 

[wardmundy]

We will get to add-fqdn down the road. Still getting the kinks out of some of the other 9 releases. You can use FQDN's if you want to monitor whether any of them fail. If one or more fail during a start or restart of IPtables, it blows iptables out of the water without the additional error checking that we are adding to the Incredible PBX releases. ipchecker also will be updated in due course. If you're in a hurry, you might take a look at the code in the Ubuntu build which should be similar.

 

[RPi-Fan]

I'm not in a hurry -- I've just been trying to get up to speed on this iptables business and need to reconcile a few discrepancies to clarify things.

Which brings up another question. Prior to the change to iptables-persistent, iptables contained the following rules:

# Google Voice needs the following 2 ports
-A INPUT -p udp -m udp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT

These rules are missing from rules.v4, but Google Voice appears to be working ok without them. Was this an intentional change?

 

[wardmundy]

I'm not in a hurry -- I've just been trying to get up to speed on this iptables business and need to reconcile a few discrepancies to clarify things.

Which brings up another question. Prior to the change to iptables-persistent, iptables contained the following rules:

# Google Voice needs the following 2 ports
-A INPUT -p udp -m udp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT

These rules are missing from rules.v4, but Google Voice appears to be working ok without them. Was this an intentional change?

Yep. No longer required. BUT... you may need these new ones for new installs: http://pbxinaflash.com/community/index.php?threads/google-voice-stops-working.12572/#post-99478
Just learned about this yesterday. If you didn't already know, firewalls can easily become a full-time job to maintain and keep current. Don't expect that level of service for free.

We do this for fun, NOT for a living. When it ceases to be fun, we'll probably stop doing it at all. Also worth mentioning that the Raspberry Pi is at the very bottom of the VoIP food chain.

It's a platform where you're supposed to learn to do some of this for yourself and contribute your discoveries for the benefit of others in the RasPi community.

 

[wardmundy]

add-fqdn and iptables-restart have been pushed out to Raspberry Pi. Just log out and back in to get them.

 

[svangool]

The iptables-restart script does not work correctly when you don't have iptables installed (I started with version 3.11 of June 18, it doesn't have the iptables service installed) it tests for "fail" but mine is saying "iptables: unrecognized service".

I saw somewhere else that the iptables were installed in a later 3.11 version which bring me to some questions, which maybe already answered somewhere else, but I couldn't find it, apologies for that:
Which update-scripts do I need to re-run after installing iptables manually?
Do the update scripts take care of keeping my version up to date (at least for 3.11.xx I would expect), including installing ip-tables when needed?
Do I need to use a new image every time for a new version (I thought that path was abandoned already a long time ago) and rely on the not so trustworthy FPBX restore/backup mechanism?
Why doesn't the status screen reflect my actual IPBX version (including the updates) or does it?

 

[wardmundy]

svangool June 18 image is too old. Sorry. Use Incredible Backup on your existing system, copy image to desktop, install latest version on new SD card, log out and back in to load updates for new system, copy image from desktop to /tmp on new system, then run /root/incrediblerestore.

p.s. Start new threads for new issues please.

cd /root
wget http://incrediblepbx.com/incrediblebackup11-raspi.tar.gz
tar zxvf incrediblebackup11-raspi.tar.gz
rm -f wget http://incrediblepbx.com/incrediblebackup11-raspi.tar.gz
tar zxvf incrediblebackup11-raspi.tar.gz

 

[svangool]

wardmundy
Thanks for the answer! I will upgrade.

Recommendation: updates (like update 25) should not affect an "older" working system in the incorrect way or they should not be allowed to that version at all, by adding a version check.

 

[svangool]

svangool June 18 image is too old. Sorry. Use Incredible Backup on your existing system, copy image to desktop, install latest version on new SD card, log out and back in to load updates for new system, copy image from desktop to /tmp on new system, then run /root/incrediblerestore.

Sorry, for this OT update, not to spend any time on, but FYI:

• I updated my IPBX 3.11.10 (inc. update 28)/FPBX 2.11.0.38 to Asterisk 11.11.0 using /root/upgrade-green-11.11.0 which resulted in a still fine working system (8 Voip extensions/1 FXS extension/ 4 Voip trunks / 1 FXO SPA adapter).
• Performed /root/incrediblebackup.
• Formatted new SD-card and put IPBX 3.11.12 (2014-07-28) image on it, initialized and performed steps as pointed out here http://pbxinaflash.com/community/in...ation-to-new-linux-platform.15378/#post-99350 exept for the "Fixpassword" step.
• No joy, kept getting a "refused connection", was not able to SSH in the system any more (I waited long enough).

I will start with a fresh IPBX 3.11.12 image and try to use the FPBX backup/restore although I had problems with my Endpoint Manager settings and templates the last time.

 

[wardmundy]

As long as your "old system" has any version of Asterisk 11 and any version of FreePBX 2.11, it's sufficiently current to run Incredible Backup. Then copy the image to your desktop, load the latest and greatest Incredible PBX for Raspberry Pi, copy image to /tmp, and run Incredible Restore. Any additional steps just increase the likelihood of hitting a snag.

 

[svangool]

wardmundy

One of the additional steps was:

Protect the /root folder and the index* files in /var/www/html on the machine before doing a restore from the image:

chattr -R +i /root
chattr +i /var/www/html/index*

Which made sense to me because of the "failing" update steps mentioned earlier in this thread, I thought that the updates of the "fresh" IPBX install would be preserved by above additional steps so that the old "failing" updates would not be restored. Can you shed some light on this?

 

[RPi-Fan]

Protect the /root folder and the index* files in /var/www/html on the machine before doing a restore from the image:

chattr -R +i /root
chattr +i /var/www/html/index*

Ward,

I'm curious why you didn't add this to incrediblerestore:

chattr -R +i /root
chattr +i /var/www/html/index*

cd /
tar zxvf $1

chattr -R -i /root
chattr -i /var/www/html/index*

 

[wardmundy]

It depends on the platform. If you're moving to a new server from an old one, you would definitely want to do that. Some people actually use Incredible Restore to restore a backup on the same platform. In this case, you wouldn't want to protect the files from being overwritten.