wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,201
- Reaction score
- 5,221
Just an FYI that we've streamlined the TM3 Firewall design for Incredible PBX for Wazo and Incredible PBX for Raspberry Pi 3. It's rolling out now with all new installs. We'll work on a retrofit for existing servers soon. The new version preserves the original WhiteList design meaning access to your server is limited to those on the same private LAN, those that you've WhiteListed with the access privileges you've specified, and SIP providers that we've WhiteListed for SIP/IAX access only as part of the original install. Nobody else can even see your server!
Background
IPtables always has had a couple of serious design flaws (in our opinion). While it allows FQDNs (as opposed to IP addresses) in the main config file, if one of them happens to be off-line when IPtables loads, then the entire firewall comes crashing down. Same goes for a typo in an FQDN. We worked around this with a testing methodology incorporated into iptables-restart, but it still was kludgey. The other flaw was, if an administrator accidentally executed iptables save, all of the FQDNs were permanently converted to IP addresses and you permanently lost the ability to support dynamic DNS.
New Design
In the new design, we've separated your custom IP addresses and FQDNs into a new file: /usr/local/sbin/iptables-custom. These settings get loaded individually AFTER the IPtables firewall is up and running. If an FQDN is off-line, then the rule simply doesn't get loaded, but it doesn't blow your firewall out of the water. You still manage your custom IP addresses (add-ip) and FQDNs (add-fqdn) in the same way. And you remove entries (del-acct) just as you did before. Finally, ipchecker still is used to test FQDNs for changes in dynamic IP addresses, and we've added a reminder in add-fqdn to make sure you add your entries to the ipchecker array if you want them checked and refreshed. We've also added HTTPS (port 443) support to the Web option when you add an IP address or FQDN. With the new design, you still reload the firewall, your custom rules, and Fail2Ban by running iptables-restart.
HINT: If you run /etc/init.d/iptables restart by mistake, then your custom rules and Fail2Ban don't get loaded.
PortKnocker Addition
PortKnocker previously let a remote user ping the server with a 3-digit code to temporarily add the remote user's IP address to the IPtables Firewall so that they could gain access. We now are adding the ability to make successful PortKnocks permanent just as if you had used add-ip on the server to add an IP address. You still can remove these entries using del-acct although you will have to know the date and time that the entry was added. The file names consist of timestamp.iptables in /root and the additions are made to the custom WhiteList in /usr/local/sbin/iptables-custom.
To enable permanent PortKnocker additions, run command: iptables-knock activate
Upgrading Existing TM3 Setups on Incredible PBX for XiVO or Wazo ONLY
You can upgrade existing XiVO and Wazo implementations of Incredible PBX only! If you already have WhiteListed one or more IP addresses with add-ip or FQDNs with add-fqdn, you will have to remove all of them with del-acct, perform the upgrade, and then add them back again with add-ip and add-fqdn. WARNING: Do NOT remove the WhiteList entry for the IP address from which you are making these changes or you may lock yourself out of your server. All of the new entries are stored differently now and are not part of the main IPtables config file. This makes starting and restarting the firewall more reliable. Be sure you remove them before performing the upgrade!
Once you have made note of your custom entries and removed all of them, issue the following commands while logged in as root:
Code:
chattr +i /etc/rc.local
cd /
wget http://incrediblepbx.com/tm3-xivo.tar.gz
tar zxvf tm3-xivo.tar.gz
rm -f tm3-xivo.tar.gz
chattr -i /etc/rc.local
sed -i 's|-A INPUT -p udp -m udp --dport 69 -j ACCEPT|#-A INPUT -p udp -m udp --dport 69 -j ACCEPT|' /etc/iptables/rules.v4
Now add your custom entries again with add-ip and add-fqdn. Be sure to add the IP address of the machine from which you are performing the upgrade FIRST so you don't inadvertently lock yourself out of your server! Customizing ipchecker is no longer required to keep FQDNs with dynamic IP addresses current. Don't forget to activate the new PortKnocker feature if desired.
Last edited: