TUTORIAL IPtables WhiteList Updater for Remote Sites

[dad311]

In regards to remote SIP phones:

If John Smith had a remote sip phone and a dyndns.org account, the pbx could perform a nslookup against John Smith's FQDN and obtain the IP address.

If John Smith's IP address changes, the IPTABLES whitelist would be updated, reloaded to reflect the change.



Anyone see an issue with this?

 

[atsak]

No problem except that IPtables can't use FQDN's as far as I understand it, so you'll need an intermediary script to update IPtables.

 

[wardmundy]

IPtables WhiteList Updater for Remote Sites NOT hotels

Good idea. You and MichiganTelephone are on the same page. We're going to write this up in coming weeks on Nerd Vittles, but here's a first cut at the script. Once set up at both ends, it's all automagic. :sorcererb:

PREREQUISITES

First, create a FQDN for your remote phone/site using a service that supports automatic updating of dynamic IP addresses. We would recommend DynDNS primarily because we've always used them and they have good tools.

At the remote end, you'll need either a router or a PC, Mac, or Linux box that keeps the IP address of the FQDN up to date using a service such as DynDNS. Here are the clients. Simply stated, you're setting up a FQDN for each site that has one or more remote phones, and you're putting an auto-update system in place to keep the FQDN current.

At your server, you add shell scripts like the one below for each location. Name them so you can remember which script goes with which phone. In each script, you specify the FQDN and phone name (no punctuation or spaces in the phone name because this becomes a temporary file!) for each remote phone or site. Then add an entry in /etc/crontab to run the script every 5 or 10 minutes.

#!/bin/bash

fqdn="mundy.org"
phone="ipremote"

#iptest=`ping -c 1 $fqdn | head -1 | cut -f 2 -d "(" | cut -f 1 -d ")"`
iptest=`nslookup $fqdn | tail -2 | cut -f 2 -d " " | head -1`
if [ ! -s "$phone" ]; then
 echo "1.1.1.1" > $phone
fi
iplast=`cat $phone`
if [ $iptest != $iplast ]; then
 echo "Don't match"
 /sbin/iptables -D INPUT -s $iplast/32 -p udp -m udp --dport 5000:5082 -j ACCEPT
 /sbin/iptables -A INPUT -p udp -m udp -s $iptest --dport 5000:5082 -j ACCEPT
 echo "Dropped: $iplast"
 echo "Added  : $iptest ($phone: $fqdn)"
 service iptables save
 echo $iptest > $phone
# iptables -nL
 exit 1;
else
echo "Matched: $iptest"
fi

We recommend you continue to use Travelin' Man for traveling to hotels and temporary stays at remote sites.

P.S. I liked Dad311's nslookup idea. Works much better than ping which may not always be available on a remote site or phone.

 

[BlaSTiWi]

Tkx Ward!

In addition to that didn't we have to allow the IP as an extension? But not sure where I saw that in PIAF1.

 

[wardmundy]

Only if you're using this with Incredible PBX. If you heed the advice to run your server behind a firewall with no Internet port exposure, then you can safely dispense with this safeguard.

 

[BlaSTiWi]

I'm maybe off here but when the IP is updated should it be save to the phone name?

echo $iptest > $phone

[...]

#!/bin/bash

fqdn="mundy.org"
phone="ipremote"

#iptest=`ping -c 1 $fqdn | head -1 | cut -f 2 -d "(" | cut -f 1 -d ")"`
iptest=`nslookup $fqdn | tail -2 | cut -f 2 -d " " | head -1`
if [ ! -s "$phone" ]; then
 echo "1.1.1.1" > $phone
fi
iplast=`cat $phone`
if [ $iptest != $iplast ]; then
 echo "Don't match"
 /sbin/iptables -D INPUT -s $iplast/32 -p udp -m udp --dport 5000:5082 -j ACCEPT
 /sbin/iptables -A INPUT -p udp -m udp -s $iptest --dport 5000:5082 -j ACCEPT
 echo "Dropped: $iplast"
 echo "Added  : $iptest ($phone: $fqdn)"
 service iptables save
 [COLOR=Blue][I][B]echo $iptest > ipremote[/B][/I][/COLOR]
# iptables -nL
 exit 1;
else
echo "Matched: $iptest"
fi

[...]

 

[tbrummell]

Good idea. You and MichiganTelephone are on the same page. We're going to write this up in coming weeks on Nerd Vittles, but here's a first cut at the script. Once set up at both ends, it's all automagic. :sorcererb:

I was hoping you'd do this. Now I'll be locked down a little better.

 

[dad311]

Have you tried this? My understanding is that all FQDN's get replaced with IP addresses the first time iptables is restarted/reloaded. In short, it would only work once.

Well, I guess I ASSUMED that if iptables figured out the IP once, it would re-figure after a reload.

Ill try to force an IP change and see if it auto updates.

 

[wardmundy]

I deleted my comment until I could actually test it. Would be nice if it worked.

 

[dad311]

Well, I was wrong, the script detects the update, reloads iptables, but keeps the same address. Shame on me.

However, the above script would be useful for SIP, WEB or SSH access.

 

[wardmundy]

Looks like it will work. Good idea! You would want the FQDN DNS entry to have a very low TTL, not the default 14400 seconds. I set my test to 120 seconds. I'll work on it a little more now.

[I]/etc/sysconfig/iptables entry:[/I] -A INPUT -s test.mundy.org -p tcp -m tcp -j ACCEPT

nslookup test.mundy.org | tail -2 | cut -f 2 -d " " | head -1
result: 209.159.159.148
service iptables restart
iptables-nL returns: ACCEPT tcp -- 209.159.159.148 0.0.0.0/0 tcp

nslookup test.mundy.org | tail -2 | cut -f 2 -d " " | head -1
result: 173.10.248.1
service iptables restart
iptables -nL returns: ACCEPT tcp -- 173.10.248.1 0.0.0.0/0 tcp

 

[dad311]

Wow, I change my IP in dyns.org, ran the script and it never updated iptables.

Glad you had success.

 

[wardmundy]

Not sure whether DynDNS will let you adjust the TTL. The default TTL is probably set to 14400 seconds so the IP address for your FQDN hasn't been updated yet. Try again in 4 hours.

P.S. Low TTL settings would really hammer their DNS servers. I backed mine out after the 3 minute test.

 

[Hyksos]

I think dyndns let you put it to something as low as 1, at least they did before. The thing is a free account has a maximum number of requests per month before they ask you to upgrade.

So it would make sense for them to let you put it very low so you eventually want to upgrade.

If dyndns minimum ttl is too high or their max requests is too low, I've seen script and project out there that will essentially turn amazon route 53 into your own dyndns
Then you can do what you want and pay only for what you use.
They have no minimum ttl. 10 is the recommended minimum.

Just remember that DNS servers have no real obligations to respect ttl, so some provider might ignore it if it's too low according to them, that you have no control over!

 

[wardmundy]

If you choose to go with the dad311 approach by entering FQDN's in iptables, then I'm wondering whether we need to test for IP address changes at all. Seems like it would be just as easy to add service iptables restart to crontab and run it every 30 minutes. Doesn't appear that such a restart would mess up anything. Am I missing something??

 

[dad311]

I believe this would work, but it might not be the best way.

If using remote phones @ FQDN you could loose phone service for up to 30 minutes.

I think it's just cleaner to have a script check the FQDN for a change every 5 minutes.

Another thought, what would happen to Iptables if the FQDN was not found by nslookup? Would the iptables reload fail? This needs to be checked.

Maybe the script needs needs to ping the FQDN first, then if the ping is successful, continue with the nslookup and reload (if needed) of iptables.

 

[wardmundy]

Maybe what we could do is build a table of external extensions, and then run asterisk -rx "sip show peer ext#" against the table listings every few minutes. If the result came back with Status: UNKNOWN, then we could use that to trigger service iptables restart to search for and refresh the FQDN IP addresses.

 

[dad311]

I like that idea!

 

[wardmundy]

Here's a Sample Implementation Using a Single File

Assumptions: This presupposes that you have created FQDN's using a service such as DynDNS for each of your external SIP phones and that you're using
some sort of dynamic updating software on the same subnet as each of your external SIP phones in order to keep DynDNS IP addresses current. It also assumes
that you have blocked ALL SIP access to your server and then added SIP entries to /etc/sysconfig/iptables with the FQDNs of each of your external SIP phones:

-A INPUT -p udp -m udp -s fqdn.dyndns.org --dport 5060:5070 -j ACCEPT

Installation: Just create this ipchecker bash script in /root, make it executable, and add the entry below to /etc/crontab to run the script every 3 minutes or however often you like:

*/3 * * * * root /root/ipchecker > /dev/null

#!/bin/bash

# Insert the external extensions to be checked below
# Remember to increment the extension[#]
extension[0]=204
extension[1]=205

# Don't make changes below this line
element_count=${#extension[@]}
restartflag=0
index=0
while [ "$index" -lt "$element_count" ]
do
 siptest=`asterisk -rx "sip show peer ${extension[$index]}" | grep UNKNOWN`
 if [ -z "$siptest" ] ; then
   echo "Extension ${extension[$index]} OK" 
 else
   echo "Extension ${extension[$index]} DOWN" 
   restartflag=1
 fi
 ((index++))
done
if [ $restartflag -eq 1 ]; then
 service iptables restart
fi
exit 0

 

[dad311]

The seems to work, have you verified iptables updates upon an ip change?