Travelin' Man 4 lets users dial into a DID that points to extension 864 which prompts the caller for an account number and PIN. Once verified, the caller will be prompted to enter an IP address to be WhiteListed in IPtables. The syntax is 12*34*56*78 where * is used for periods. Within a couple minutes, the user will be sent an email confirming that remote access from that IP address is authorized.
Operating System Requirements:
1. PIAF-Green or Incredible PBX with CentOS 6.x, Scientific Linux 6.x, PIAF OS 3.6.5, or Ubuntu 14
2. Incredible PBX for RasPBX (only BeagleBone Black has been tested)
1. Travelin' Man 3 - http://nerdvittles.com/?p=815 (optionally installed with Incredible PBX)
NOTE: Travelin' Man 3 is preinstalled with RasPBX, but you must run /root/secure-iptables and amportal restart to activate it.
2. ODBC add-on to PIAF-Green - http://nerdvittles.com/?p=604 (already included with Incredible PBX for CentOS/SciLinux and latest Ubuntu 14 release)
NOTE: ODBC is not functional and Travelin' Man 3 is dormant as delivered on RasPBX platform. Issue the following commands to activate both:
Verifying Functioning Prerequisites:Code:# WARNING: This code is for RasPBX platform only apt-get -y install unixODBC unixODBC-dev libmyodbc cd /root ./secure-iptables amportal restart wget http://incrediblepbx.com/odbc-raspbx.tar.gz tar zxvf odbc-raspbx.tar.gz ./mysql-odbc ./mysql-sample ./odbc-gen.sh amportal restart
1. iptables -nL (shows a WhiteList is operational with legit IP addresses)
2. Dial 222 and enter 12345 and verify "Uncle Ward" response (shows ODBC works)
DO NOT PROCEED WITH INSTALL UNTIL BOTH PLATFORM & SOFTWARE PREREQUISITES ARE WORKING!!!
Configuration:Code:cd /root mkdir tm4 cd tm4 wget http://incrediblepbx.com/tm4.tgz tar zxvf tm4.tgz mysql -uroot -ppassw0rd < tm4-accounts.sql mysql -uroot -praspberry < tm4-accounts.sql sed -i '/\[from-internal-custom\]/r 'tm4-864'' /etc/asterisk/extensions_custom.conf cat tm4-func >> /etc/asterisk/func_odbc.conf mkdir /etc/asterisk/tm4 chown asterisk:asterisk /etc/asterisk/tm4 cp tm4-update /root/. cd /root /root/odbc-gen.sh
Before you can add WhiteList IP addresses by dialing 864 (TM4), you first must set up some accounts and passwords for authorized users dialing in. Each account supports ONE and only ONE IP address. Each time the account is accessed to add an IP address, it will overwrite any previous WhiteList entry.
To add accounts: /root/tm4/add-account. Use an 8-digit acctno (first number must not be zero and all digits must be numbers). Fill in a descriptive name for the account under acctname. Choose a 5-digit PIN (first number must not be zero AND all 5 digits must be numbers). Enter an email address for the account user to be notified when their new IP address WhiteList entry has been activated in the IPtables firewall. Permission defines which rights this user account will have on the server. 0 means ALL access rights, i.e. SIP, IAX, SSH, etc. If you wish to restrict access for an IP address to only certain services, then enter a list of authorized services separating the entries with commas, e.g. 1,2,3,4,5 (no spaces!).
Available permissions include:
0 - All Services
1 - SIP (UDP)
2 - SIP (TCP)
3 - IAX
4 - Web
5 - WebMin
6 - FTP
7 - t*f*t*p
8 - SSH
9 - FOP
Travelin' Man 4 is intended to support remote users that need access to your PIAF-Green or Incredible PBX server from sites outside your firewall. The procedure is simple. The user dials into a DID that points to extension 864. Since the 864 extension has been added to extensions_custom.conf, you will need to create a Misc Destination called Travelin Man 4 pointing a DID to 864 BEFORE this extension can be used in the FreePBX dialplan with either a dedicated Inbound Route or perhaps an IVR. If you don't have a spare DID to dedicate to TM4, you can obtain one at no cost from IPkall.com.
Once connected to 864, the caller will be prompted for an account number and PIN. Once entered, the credentials will be verified against the TravMan4 DB. If there's a match, the caller will be prompted to enter an IP address to be WhiteListed in IPtables. The syntax is 12*34*56*78 where * is used for periods. Once the caller confirms the address, the call will be disconnected and the new IP address will be placed in a queue: /etc/asterisk/tm4.
Every 2 minutes, a cron job in /etc/crontab will check the tm4 queue for files. The file names are the account numbers for the callers. The contents are the IP addresses to be WhiteListed. The tm4-update script will handle the rest. If the IP address does not include extra or missing periods, the entry will be added to the IPtables file and the service will be restarted with iptables-restart. The caller will be sent an email confirming or rejecting the WhiteList request.
WARNING: NO FURTHER ERROR CHECKING IS PERFORMED. FOR EXAMPLE, 1234.5678.9999.1 WILL BE ACCEPTED AS LEGITIMATE ADDRESS.
Troubleshooting Tips: If you get a call from a user saying that an IP address was whitelisted and they received a confirmation email, but they still cannot gain access. The first thing to do is run iptables-restart to determine if there are any whitelisted IP addresses which have been rejected for any reason. As noted, the IP address in red above could be registered, but it would be rejected by IPtables when the iptables-restart command was executed. The end user would not be alerted to this problem!
Also be sure to alert callers to check their EMAIL SPAM FOLDER for the emails. Gmail in particular is very careful to reject emails from accounts such as root@piaf. These can be whitelisted in Gmail by clicking the down arrow in the search bar and typing @piaf in the From: field. Then click Create Filter with this search. Check the following options: Star It, Never Send It to SPAM, and Always Mark as Important.
To change a WhiteListed address, the caller can call in again with the same credentials and specify a new IP address. The Administrator can manually remove the credentials from the /etc/sysconfig/iptables file and iptables-restart. The admin should also remove the account entry from the TravMan4 Accounts table using phpMyAdmin to assure that the caller can no longer gain access to add a new WhiteListed IP address.
The following utilities are provided in the /root/tm4 directory to assist with management of accounts for Travelin' Man 4: list-accounts, add-account, del-ipaddress, and del-account. Functions are self-explanatory but here it is anyway...
./list-accounts will display a listing of existing accounts in acct name order.
./add-account allows an administrator to add new entries to TravMan4 without resorting to phpMyAdmin.
Syntax: ./add-account acctno "account name" pin email permissions
./del-account allows administrator to remove account from TravMan4 and deletes corresponding WhiteList entry from IPtables with IPtables restart.
Syntax: ./del-account acctno
./del-ipaddress allows an administrator to remove an IP address from TravMan4 and also delete corresponding WhiteList entry from IPtables and restart IPtables. The account itself is preserved with existing acctname, pin, email, and permissions.
Syntax: ./del-ipaddress acctno