PIONEERS Travelin' Man 4 Is Ready

[wardmundy]

I have begun work on the next release of Travelin' Man to provide BOTH an administrator-maintainable WhiteList for the Linux IPtables firewall as well as a facility for those in the field to add their own IP addresses using a phone and perhaps email as well.

Now is the time to offer suggestions!!!

My initial design looks like this. There would be a MySQL database to store entries rather than separate .iptables files as we have with Travelin' Man 3 now. The admin-maintained portion would work pretty much as TM3 works today. There would be scripts to add ip's, FQDN's, and delete existing entries.

The new piece would be for remote users to maintain their own WhiteList entries. Basically, the administrator would assign an 8-digit unique account number (that doesn't start with a zero or 9) and a 5-digit PIN (that doesn't start with a zero) together with the user's email address for each remote user. Account numbers starting with 9 would be reserved for admin use with root privileges. The fourth field would store ONE IP address. Each authorized user could add or replace their WhiteListed IP address by calling in, providing the correct acctno and pin and then keying in an IP address, e.g. 123*45*67*89 for 123.45.67.89. They'd get a chance to verify that the IP address was correct but no other error checking. They'll know if it doesn't work 'cause their phone won't work. Then they can dial in and try again.

On the server itself, there would be a reserved directory to hold files generated by these phone calls. A typical file with wide open privileges (Level 0 in TM3) would look like this:

# // New entry for 12345678
-A INPUT -s 1.2.3.4 -j ACCEPT
# // End entry for 12345678

FYI: The Asterisk user account cannot be used to manage IPtables directly for security reasons. So...

Once every minute or two, a cron job running as root would check to see if any files were in the directory. If so, it would process them by adding the contents to /etc/sysconfig/iptables (CentOS/SciLinux platform) or /etc/network/iptables (RasPi/BeagleBone) and restarting IPtables: iptables-restart. It also would remove any previous IPtables entry for that same account number. An email would be sent to the end-user when the new IP address was activated by looking up the email address based upon the unique account number. Then the file would be removed.

I'm undecided whether to include a permissions field to manage which rights get assigned to each acctno. TM3 lets you choose from wide open access or a combination of 9 other services. Do we need that?? If so, it would be admin-controlled when you created user accounts.

Other ideas??

 

[wardmundy]

ipaddress has been changed to 50 characters to accommodate admin FQDN entries.

 

[krakastan]

this looks great

TM3 lets you choose from wide open access or a combination of 9 other services. Do we need that??

I would like this - some of my remote users are allowed different facilities

 

[wardmundy]

As a counterpoint, I either trust a user or I don't. Since all the services can run with different credentials, I don't see it as being strictly necessary to grant partial access to a user.

Is there a facility to expire whitelisted addresses automatically?

How would we implement that?? The WhiteListed address would get replaced if the person moved to another location or a different IP address, but other than that, would we really want to kill somebody's connection?? And, if so, when?

As for the scope of credentials, perhaps we should default the entries to 0 (which would be all services) and let admins modify the entry if desired.

 

[wardmundy]

Ready for a few pioneers. You'll need a PIAF-Green or Incredible PBX 11 server. TM4 works in conjunction with TM3 but NOT TM2. Deleting TM2 is covered elsewhere in the forum.

cd /root
mkdir tm4
cd tm4
wget http://incrediblepbx.com/tm4.tgz
tar zxvf tm4.tgz

Then read the README file or this PIAF Forum Resource for TM4 for installation and setup instructions.

 

[krakastan]

This is great -All installed as expected...whitelisted an ip as expected...

observation:- I use different ports for some services such as web and, as with TM3, updated the settings to reflect this (the tm4 file looks to me to be /root/tm4-update)

note: make sure the "# End of Trusted Provider Section" comment exists or it wont update .....

many thanks for this ....

 

[wardmundy]

This is great -All installed as expected...whitelisted an ip as expected...

observation:- 1. I use different ports for some services such as web and, as with TM3, updated the settings to reflect this (2. the tm4 file looks to me to be /root/tm4-update)

3. note: make sure the "# End of Trusted Provider Section" comment exists or it wont update .....

many thanks for this ....

1. The real beauty of open source code.

2. A copy of tm4-update is placed in /root but also exists in /root/tm4 in case it gets accidentally deleted from /root.

3. Yes, the # End of Trusted Provider Section marker must exist in iptables. If you followed the tutorial and you've activated Travelin' Man 3 by running /root/secure-iptables, this should all be taken care of.

 

[Huckda]

How would we implement that?? The WhiteListed address would get replaced if the person moved to another location or a different IP address, but other than that, would we really want to kill somebody's connection?? And, if so, when?

As for the scope of credentials, perhaps we should default the entries to 0 (which would be all services) and let admins modify the entry if desired.

Perhaps not automate it... but allow a button to clear all existing 'allowed'... I.E.

I had a number of staff go on mission trips during spring break to 5 different countries... I setup Zoiper on their phones with travel'nman access page link... so throughout their journey they could make calls whenever and where ever they had internet. So when they all returned(these are teachers we're talking about), I wanted to Nix the whitelisted addresses... didn't see a method for doing such... so I just accessed their page through a specific machine on the network and then nix'd their TM directory.

 

[wardmundy]

Huckda New del-account script will wipe out an account, clear the IPtables entry, and restart IPtables. If that doesn't do what you need, let me know. It would be easy to add an additional script that deletes just the IP address, clears the IPtables entry, and restarts IPtables thereby leaving the accounts in place for future use.

 

[Huckda]

Huckda New del-account script will wipe out an account, clear the IPtables entry, and restart IPtables. If that doesn't do what you need, let me know. It would be easy to add an additional script that deletes just the IP address, clears the IPtables entry, and restarts IPtables thereby leaving the accounts in place for future use.

I can definitely see value in having both..

 

[wardmundy]

IPv6 not yet supported. FQDNs for dynamic IP addresses still work as part of TM3 interface.

 

[wardmundy]

I can definitely see value in having both..

Done. Just clean out /root/tm4 and download the new tarball.

 

[dbaum]

Ward would you please consider adding T.38 as a service option, or alternatively add the appropriate ports to be opened when either of the SIP or IAX2 services are selected. Coincident with this, I will discuss a script with Tom to add the updtl_custom.conf file. Thanks!

 

[jeff.h]

Sorry for being late to this party, but is it possible to add an option that doesn't automatically add all the carriers? I don't use any of the ones from TM3 and always end up deleting them from IP tables.

 

[wardmundy]

Probably better to just store your own iptables setup somewhere and copy it in for new builds. The reluctance to turn off the carriers' WhiteList is the flood of complaints we'd receive when no one could connect with their provider. Can't win, I'm afraid.