TIPS Vultr install blocks whitelisted IP

[Eliad]

I just recently installed the last version IncrediblePBX on Centos 6. When the install finishes I can not access the server by using a whitelisted IP. I can access the server through the console and original IP used for the install but no other IP that I added to the iptables and/or ./add-ip or even modifying the iptables-custom. When I installed the server I used DHCP network option for the install of the Centos and then I tried also the manual IP. The firewall is not activated on the Vultr dashboard.

I have made another install on OVH and does not have this behavior.

No idea what can i do to fix this behavior. I would like to be able to add to the whitelist trusted IP as it should. Vultr performance is great and I would like to stick with them. The latency and bandwidth is great.

 

[kenn10]

I would rebuild the instance on the Vultr dashboard and then try the install again. I've used Vultr for a couple of years with no problem. If the problem is still there after your reinstall, submit a ticket. They are very good with troubleshooting and fast to reply to tickets.

One last thing, did you remember to add-ip or add-fqdn from the /root directory for all your remote IP addresses? That allows /root/ipchecker to whitelist them.

I just recently installed the last version IncrediblePBX on Centos 6. When the install finishes I can not access the server by using a whitelisted IP. I can access the server through the console and original IP used for the install but no other IP that I added to the iptables and/or ./add-ip or even modifying the iptables-custom. When I installed the server I used DHCP network option for the install of the Centos and then I tried also the manual IP. The firewall is not activated on the Vultr dashboard.

I have made another install on OVH and does not have this behavior.

No idea what can i do to fix this behavior. I would like to be able to add to the whitelist trusted IP as it should. Vultr performance is great and I would like to stick with them. The latency and bandwidth is great.

 

[Eliad]

I did reinstall the instance few times and no luck. It is all good until I run ./IncrediblePBX-13-13.sh the second time to finish the install. ./add-ip was run from the root directory. when I do iptables-restart then when the iptables are down I can briefly can access server. I thought perhaps is something wrong with IncrediblePBX iptables install since I do not see anything on vultr dashboard that could have interfered. I will put a ticket with vultr too.

I noticed there are other users with a problem with the iptables on vultr. I think they are related.
https://pbxinaflash.com/community/threads/iptables-blocking-valid-ip.23641/
https://pbxinaflash.com/community/threads/portknock-required-every-day.23631/

 

[wardmundy]

iptables -nL should show whether the affected IP addresses have been whitelisted. What do you see??

 

[Eliad]

iptables -nL should show whether the affected IP addresses have been whitelisted. What do you see??

The IP I try to use and it is in the whitelist in the iptables shows this

Chain f2b-default (2 references)
target prot opt source destination
REJECT all -- 72.175.xxx.xx 0.0.0.0/0 reject-with icmp-port-unreachable

 

[wardmundy]

If it were whitelisted, it should also be further up in the listing. That is the fail2ban entry blocking access.

 

[Eliad]

If it were whitelisted, it should also be further up in the listing. That is the fail2ban entry blocking access.

Yes, it is listed as accepted at the very beginning of the list but then at the bottom is listed as blocked. When I try to add is by using ./add-ip all access option happens the same thing. First lists the IP as accepted then as blocked. Is there a way to whitelist for the fail2ban too?

The following iptables rules now are in effect for 72.175.xxx.xx:
ACCEPT all -- 72.175.xxx.xx 0.0.0.0/0
ACCEPT all -- 72.175.xxx.xx 0.0.0.0/0
REJECT all -- 72.175.xxx.xx 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 72.175.xxx.xx 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 72.175.xxx.xx 0.0.0.0/0 reject-with icmp-port-unreachable

 

[Eliad]

I edited and added manually the ip to
/etc/fail2ban/jail.conf

ignoreip =

now it works. I wonder why fail2ban ignores the ACCEPT entry in the iptables

 

[mainenotarynet]

Just out of curiosity, WHERE are you running the install FROM. If you run it in the SSH console that VULTR has built-in, this is common.

Wipe the imstance clean and start over but this time use something like PuTTY to get in. Incredible locks down to the Public IP (VULTR instance IP), and the IP that runs the script (your HOME public IP [should be, if in VULTR console - these two are the same] ).

I have never seen REJECT lines on my systems, so maybe there is something else as well. IPTables, I believe goes top down - so if your accepts are above the rejects - the rejects take over.

Good luck.

P.S. as I wrote this, you wrote of the jail.conf add. This kind of makes a little more sense now. If this is a rebuild and you have ANY extensions trying to register to non-existant extensions, Fail2Ban block you as the passwords aren't there yet. so whenever I rebuild anything I turn off my SIP lines first the add ignore IP and turn my sip accounts back on (one-by-one) as I make each extension again.

You may find that if you rebuild and put the ignore IP in first that the REJECT lines will not be there as I believe that when Fail2Ban adds the IP - it will remove when jail time expires.

 

[krzykat]

You mentioned that when you do an iptables restart - when it goes down you can connect. Can you share your iptables?

 

[Eliad]

I run the install through Bitwise SSH, much easier to copy and paste commands this way. At the end of second incrediblePBX install I add a second IP for full access as instructed (one IP is from work and one IP is from home). Then after 10-30 min the problem starts with one or both whitelisted IP being blocked. this happens before adding any SIP extension or making any changes to the PBX itself.
Weird. I would have expected ip added to /etc/sysconfig/iptables or by using ./add-ip to take care of it. At least now I know where the problem resides and how to fix it.

 

[Eliad]

You mentioned that when you do an iptables restart - when it goes down you can connect. Can you share your iptables?

connects when the iptables are in process of loading and before the fail2ban loads. Ward identified as being the fail2ban blocking it. Modifying jail.conf file seems to fix it

 

[wardmundy]

Whitelist in Fail2Ban fixes it, but the cause of the problem sounds like what @mainenotarynet pointed out. You must have an attempted SIP registration that is triggering Fail2Ban before you get the IP address whitelisted in IPtables.