TUTORIAL IPtables WhiteList Updater for Remote Sites

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
I'm using this script to update ssh, web, etc iptables when the domain ip changes. Place the script in the crontab and run it every 30 minutes.

Assumptions: This presupposes that you have created FQDN's using a service such as DynDNS for your remote location, some sort of dynamic updating software on the same subnet as your remote location in order to keep DynDNS IP addresses current. It also assumes that you have blocked ssh, web, etc access to your server and then added ssh,web,etc entries to /etc/sysconfig/iptables with the FQDNs of your remote location:


Example for tcp port 22 (ssh) from iptables:

-A INPUT -p tcp -m tcp -s fqdn.dyndns.org --dport 22 -j ACCEPT



#!/bin/bash

fqdn="domain.com"
phone="mydomain"

iptest=`nslookup $fqdn | tail -2 | cut -f 2 -d " " | head -1`
if [ ! -s "$phone" ]; then
echo "1.1.1.1" > $phone
fi
iplast=`cat $phone`
if [ $iptest != $iplast ]; then
echo "Don't match"
echo "Dropped: $iplast"
echo "Added : $iptest ($phone: $fqdn)"
service iptables restart
echo $iptest > ipremote
# iptables -nL
exit 1;
else
echo "Matched: $iptest"
fi
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Worked for me. As noted previously, it all depends upon the TTL of the DNS server. If the IP address has changed there, then the iptables reload will catch it. If not, it'll try again in 3 minutes or whatever you set in the crontab entry.

This should be perfect for sites on the Internet such as RentPBX. Now you can completely lock down SIP as well as the other services while preserving remote access.
 

mark_o

New Member
Joined
Aug 2, 2010
Messages
5
Reaction score
0
My office has a dynamic IP address at the moment, and I think it's causing our phones to go out frequently. We're getting a static IP in about a week.

From what I can tell, I can use our router to connect to DynDNS and update our IP address as it changes.

So then should I simply hardcode the DynDNS domain into Asterisk somehow?
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
My office has a dynamic IP address at the moment, and I think it's causing our phones to go out frequently. We're getting a static IP in about a week.

From what I can tell, I can use our router to connect to DynDNS and update our IP address as it changes.

So then should I simply hardcode the DynDNS domain into Asterisk somehow?

If your have a Static IP, you can hardcode the static P address in iptables.
 

mark_o

New Member
Joined
Aug 2, 2010
Messages
5
Reaction score
0
Right, but:
1) We don't have the static IP right now and I would like to get the phones working again (we just moved offices) and
2) So far we've had a lot of trouble with remote extensions, and since our PBX is on RentPBX, ALL of our extensions are remote and we are getting a lot of failed incoming calls. The calls are answered fine by the IVR but then routing them to the extensions fails.

Right now I think the main issue is the frequently changing IP address. Any ideas?
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Do you have firewall settings for your remote extensions enabled on rentpbx? If so drop the firewall settings for SIP and make sure you have good extension passwords.

After the above, test your phones, see if the problem(s) go away.

Consider setting up a VPN server on your rentpbx. Connect you remote phones via VPN and never have to deal with dyndns or dynamic IPs.:smile5:

Wards scrip,t mentioned below is also a great solution. However, if you have a biz with heavy call volume and your IP is changing often, you sill might want to consider a VPN.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Follow this setup. Works great. Used it in the mountains (very remote) all of last weekend with no problems. You might have to adjust the nat setting for the remote extensions to yes in FreePBX on RentPBX.com. Other than that, it was simple.
 
Last edited by a moderator:

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Glad to hear its been officially tested.

Any idea how often you IP changed?
 

superuser

New Member
Joined
May 1, 2008
Messages
11
Reaction score
0
You've got to replace ipremote with $phone or it won't work.


I'm using this script to update ssh, web, etc iptables when the domain ip changes. Place the script in the crontab and run it every 30 minutes.

Assumptions: This presupposes that you have created FQDN's using a service such as DynDNS for your remote location, some sort of dynamic updating software on the same subnet as your remote location in order to keep DynDNS IP addresses current. It also assumes that you have blocked ssh, web, etc access to your server and then added ssh,web,etc entries to /etc/sysconfig/iptables with the FQDNs of your remote location:


Example for tcp port 22 (ssh) from iptables:

-A INPUT -p tcp -m tcp -s fqdn.dyndns.org --dport 22 -j ACCEPT



#!/bin/bash

fqdn="domain.com"
phone="mydomain"

iptest=`nslookup $fqdn | tail -2 | cut -f 2 -d " " | head -1`
if [ ! -s "$phone" ]; then
echo "1.1.1.1" > $phone
fi
iplast=`cat $phone`
if [ $iptest != $iplast ]; then
echo "Don't match"
echo "Dropped: $iplast"
echo "Added : $iptest ($phone: $fqdn)"
service iptables restart
echo $iptest > ipremote
# iptables -nL
exit 1;
else
echo "Matched: $iptest"
fi
 

Members online

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top