1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.
  4. Critical FreePBX vulnerability! Update your server immediately. Details here.

TUTORIAL IPtables WhiteList Updater for Remote Sites

Discussion in 'Wish List' started by dad311, Jan 11, 2012.

  1. dad311 Guru

    In regards to remote SIP phones:

    If John Smith had a remote sip phone and a dyndns.org account, the pbx could perform a nslookup against John Smith's FQDN and obtain the IP address.

    If John Smith's IP address changes, the IPTABLES whitelist would be updated, reloaded to reflect the change.



    Anyone see an issue with this?
  2. atsak Guru

    No problem except that IPtables can't use FQDN's as far as I understand it, so you'll need an intermediary script to update IPtables.
  3. wardmundy Nerd Uno

    IPtables WhiteList Updater for Remote Sites NOT hotels

    Good idea. You and MichiganTelephone are on the same page. We're going to write this up in coming weeks on Nerd Vittles, but here's a first cut at the script. Once set up at both ends, it's all automagic. :sorcererb:

    PREREQUISITES

    First, create a FQDN for your remote phone/site using a service that supports automatic updating of dynamic IP addresses. We would recommend DynDNS primarily because we've always used them and they have good tools.

    At the remote end, you'll need either a router or a PC, Mac, or Linux box that keeps the IP address of the FQDN up to date using a service such as DynDNS. Here are the clients. Simply stated, you're setting up a FQDN for each site that has one or more remote phones, and you're putting an auto-update system in place to keep the FQDN current.

    At your server, you add shell scripts like the one below for each location. Name them so you can remember which script goes with which phone. In each script, you specify the FQDN and phone name (no punctuation or spaces in the phone name because this becomes a temporary file!) for each remote phone or site. Then add an entry in /etc/crontab to run the script every 5 or 10 minutes.


    Code:
    #!/bin/bash
    
    fqdn="mundy.org"
    phone="ipremote"
    
    #iptest=`ping -c 1 $fqdn | head -1 | cut -f 2 -d "(" | cut -f 1 -d ")"`
    iptest=`nslookup $fqdn | tail -2 | cut -f 2 -d " " | head -1`
    if [ ! -s "$phone" ]; then
     echo "1.1.1.1" > $phone
    fi
    iplast=`cat $phone`
    if [ $iptest != $iplast ]; then
     echo "Don't match"
     /sbin/iptables -D INPUT -s $iplast/32 -p udp -m udp --dport 5000:5082 -j ACCEPT
     /sbin/iptables -A INPUT -p udp -m udp -s $iptest --dport 5000:5082 -j ACCEPT
     echo "Dropped: $iplast"
     echo "Added  : $iptest ($phone: $fqdn)"
     service iptables save
     echo $iptest > $phone
    # iptables -nL
     exit 1;
    else
    echo "Matched: $iptest"
    fi
    

    We recommend you continue to use Travelin' Man for traveling to hotels and temporary stays at remote sites.

    P.S. I liked Dad311's nslookup idea. Works much better than ping which may not always be available on a remote site or phone.
  4. BlaSTiWi New Member

    Tkx Ward!

    In addition to that didn't we have to allow the IP as an extension? But not sure where I saw that in PIAF1.
  5. wardmundy Nerd Uno

    Only if you're using this with Incredible PBX. If you heed the advice to run your server behind a firewall with no Internet port exposure, then you can safely dispense with this safeguard.
  6. BlaSTiWi New Member

    I'm maybe off here but when the IP is updated should it be save to the phone name?

    echo $iptest > $phone

  7. tbrummell Guru

    I was hoping you'd do this. ;) Now I'll be locked down a little better.
  8. dad311 Guru

    Well, I guess I ASSUMED that if iptables figured out the IP once, it would re-figure after a reload. :eek:

    Ill try to force an IP change and see if it auto updates.
  9. wardmundy Nerd Uno

    I deleted my comment until I could actually test it. Would be nice if it worked. ;)
  10. dad311 Guru

    Well, I was wrong, the script detects the update, reloads iptables, but keeps the same address. Shame on me.:rolleyes5:

    However, the above script would be useful for SIP, WEB or SSH access.
  11. wardmundy Nerd Uno

    Looks like it will work. Good idea! You would want the FQDN DNS entry to have a very low TTL, not the default 14400 seconds. I set my test to 120 seconds. I'll work on it a little more now. :D

    Code:
    [I]/etc/sysconfig/iptables entry:[/I] -A INPUT -s test.mundy.org -p tcp -m tcp -j ACCEPT
    

  12. dad311 Guru

    Wow, I change my IP in dyns.org, ran the script and it never updated iptables.

    Glad you had success.
  13. wardmundy Nerd Uno

    Not sure whether DynDNS will let you adjust the TTL. The default TTL is probably set to 14400 seconds so the IP address for your FQDN hasn't been updated yet. Try again in 4 hours. :wink5:

    P.S. Low TTL settings would really hammer their DNS servers. I backed mine out after the 3 minute test.
  14. Hyksos Guru

    I think dyndns let you put it to something as low as 1, at least they did before. The thing is a free account has a maximum number of requests per month before they ask you to upgrade.

    So it would make sense for them to let you put it very low so you eventually want to upgrade.

    If dyndns minimum ttl is too high or their max requests is too low, I've seen script and project out there that will essentially turn amazon route 53 into your own dyndns ;)
    Then you can do what you want and pay only for what you use.
    They have no minimum ttl. 10 is the recommended minimum.

    Just remember that DNS servers have no real obligations to respect ttl, so some provider might ignore it if it's too low according to them, that you have no control over!
  15. wardmundy Nerd Uno

    If you choose to go with the dad311 approach by entering FQDN's in iptables, then I'm wondering whether we need to test for IP address changes at all. Seems like it would be just as easy to add service iptables restart to crontab and run it every 30 minutes. Doesn't appear that such a restart would mess up anything. Am I missing something??
  16. dad311 Guru

    I believe this would work, but it might not be the best way.

    If using remote phones @ FQDN you could loose phone service for up to 30 minutes.

    I think it's just cleaner to have a script check the FQDN for a change every 5 minutes.

    Another thought, what would happen to Iptables if the FQDN was not found by nslookup? Would the iptables reload fail? This needs to be checked.

    Maybe the script needs needs to ping the FQDN first, then if the ping is successful, continue with the nslookup and reload (if needed) of iptables.
  17. wardmundy Nerd Uno

    Maybe what we could do is build a table of external extensions, and then run asterisk -rx "sip show peer ext#" against the table listings every few minutes. If the result came back with Status: UNKNOWN, then we could use that to trigger service iptables restart to search for and refresh the FQDN IP addresses.

    [IMG]
  18. dad311 Guru

    I like that idea!
  19. wardmundy Nerd Uno

    Here's a Sample Implementation Using a Single File

    Assumptions: This presupposes that you have created FQDN's using a service such as DynDNS for each of your external SIP phones and that you're using
    some sort of dynamic updating software on the same subnet as each of your external SIP phones in order to keep DynDNS IP addresses current. It also assumes
    that you have blocked ALL SIP access to your server and then added SIP entries to /etc/sysconfig/iptables with the FQDNs of each of your external SIP phones:

    -A INPUT -p udp -m udp -s fqdn.dyndns.org --dport 5060:5070 -j ACCEPT

    Installation: Just create this ipchecker bash script in /root, make it executable, and add the entry below to /etc/crontab to run the script every 3 minutes or however often you like:

    */3 * * * * root /root/ipchecker > /dev/null


    Code:
    #!/bin/bash
    
    # Insert the external extensions to be checked below
    # Remember to increment the extension[#]
    extension[0]=204
    extension[1]=205
    
    # Don't make changes below this line
    element_count=${#extension[@]}
    restartflag=0
    index=0
    while [ "$index" -lt "$element_count" ]
    do
     siptest=`asterisk -rx "sip show peer ${extension[$index]}" | grep UNKNOWN`
     if [ -z "$siptest" ] ; then
       echo "Extension ${extension[$index]} OK" 
     else
       echo "Extension ${extension[$index]} DOWN" 
       restartflag=1
     fi
     ((index++))
    done
    if [ $restartflag -eq 1 ]; then
     service iptables restart
    fi
    exit 0
    
  20. dad311 Guru

    The seems to work, have you verified iptables updates upon an ip change?

Share This Page