NEW Incredible 16-15.2 for CentOS 7

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
On server restart IPTables didn't load successfully at all, leaving it wide open. Another iptables-restart at least got the original rules reloaded. Still no access from my work IP after that.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
It's actually worse than I thought, upon iptables-restart all connection to the server is lost, in and out. It can't ping, lookup DNS, nothing. I guess I broke it. LoL I'll leave it in this state, but I only have VPS Console access, so limited in what I can do with it.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@tbrummell Whose platform?? If this is anyNode, they have a serious server issue at the moment. I've opened a ticket.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
I mean, we even lost connection to the IAX modems.... Stopping iptables changes nothing. I'm really at a loss here, unless it's a VPS issue. Nope, my production instance in the same DC and same IP space is up. It's local to this guy I thinks.

2361
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
OK, as near as I can tell it has only loaded the INPUT chain, and not the others, which is where SIP and ICMP is handled if I can read this right. Probably a host of other things too.
Probably time to put this one back in the oven for some more baking. :cheers2:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Just a heads up that, if you use OVZ7 at anyNode, you'll need to open a ticket to get IPtables functioning properly. This is apparently an issue with the SolusVM Control Panel using OVZ7 VPSs.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Vultr $5 instance.

We did all our development work there so Vultr shouldn't be a problem. It worked well for us.

By the way, CloudAtCost is a complete waste of time with CentOS 7.5 image. Tried 3 times, and called it a day. Incredible PBX 16 LITE will install, but it croaks on the PHP components required for FreePBX 15.
 
Last edited:

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
What I did was:
1. Deploy VM
2. Follow TUT to deploy IPBX16
3. Add 2 extensions in my number range
4. Get pissed off when PJSIP doesn't work with my old endpoints (Aastra 57i's)
5. Remove PJSIP using Advanded Settings in GUI
6. Register via Chan_SIP
7. Call endpoint to endpoint, from same Source IP (same IP allowed in IPTables via install)
8. Deploy GO_PUBLIC16
9. Register 1 endpoint (cell phone) via non-allowed source IP
10. Call endpoint to endpoint
11. Wait overnight
12. Use ./add-ip to add IP in the morning
13. BOOM, it all blew up.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
In PUBLIC mode, you can't register phones by IP address. You have to use the server's FQDN. Whitelisting shouldn't ever be necessary although your IP address is probably blocked by Fail2Ban now. The command to unblock it is in the old tutorial:
Code:
fail2ban-client set asterisk unbanip xxx.xxx.xxx.xxx
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
I didn't use IP to register, I used IP to open SSH/HTTP for my work IP.

The IP is not banned, grep'ing iptables yields no IP. It didn't get allowed, or dropped.

As I said in my previous comment, the only thing loaded in IPtables is the INPUT chain, the RMLSET, ASIP chains and others are not loaded, which is why access is completely blown up.

Try deploying what I did and try and add a whitelisted IP (for administration) then issue a iptables-restart or shutdown -r now, you should end up in the same predicament.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
I didn't use IP to register, I used IP to open SSH/HTTP for my work IP.

The IP is not banned, grep'ing iptables yields no IP. It didn't get allowed, or dropped.

As I said in my previous comment, the only thing loaded in IPtables is the INPUT chain, the RMLSET, ASIP chains and others are not loaded, which is why access is completely blown up.

Try deploying what I did and try and add a whitelisted IP (for administration) then issue a iptables-restart or shutdown -r now, you should end up in the same predicament.

Thanks for the catch. Here are the fixes and we'll update the base install...
Code:
echo "Reconfiguring TM3 apps..."
cd /root
wget http://incrediblepbx.com/TM3-16.15-apps.tar.gz
tar zxvf TM3-16.15-apps.tar.gz
rm -f TM3-16.15-apps.tar.gz

echo "Fixing PortKnocker bug..."
sed -i 's|= /sbin|= /usr/sbin|' /etc/knockd.conf
sed -i 's|-A|-I|' /etc/knockd.conf
systemctl restart knockd
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
I'm currently deploying again, I'm at the hylafax install stage. Will the fix be automatically picked up due to the stage I'm at, or go ahead and due the steps mentioned after deploying GO_PUBLIC?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
I'm currently deploying again, I'm at the hylafax install stage. Will the fix be automatically picked up due to the stage I'm at, or go ahead and due the steps mentioned after deploying GO_PUBLIC?

Won't hurt to run them again when you're finished. HylaFax is busted, by the way but it won't hurt to install it. Bugs in FreePBX 15 fax module + faxes never get emailed which may also be a FreePBX bug. Not sure yet.
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
I do like Vultr's speed results:
Code:
Retrieving speedtest.net server list...
Selecting best server based on ping...
Hosted by Beanfield Metroconnect (Toronto, ON) [3.45 km]: 2.386 ms
Testing download speed................................................................................
Download: 5425.93 Mbit/s
Testing upload speed................................................................................................
Upload: 3134.60 Mbit/s
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
After Go_PUBLIC is completed, and server restarted I end up in the same boat.

After server restarts, iptables is essentially empty and allowing full access to the box. Issuing iptables-restart results with the INPUT chain *only* loaded, which knocks out all access to the server.
 

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
@wardmundy on the enchilada version, take a look at your source. I seem to have wound up with the old version of /root/ipchecker that requires you to code the accounts into the script. I did the download after you fixed the issue with the sound files but have not re-downloaded lately.

*UPDATE*
It appears that applied fixes were logged in the /etc/pbx directory but not actually applied to the new installation. The update-IncrediblePBX script did not execute the patches because it thought they were already applied. I deleted the .updatexxx files and ran the update-IncrediblePBX script and it applied the fixes, including the new ipchecker script.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
After Go_PUBLIC is completed, and server restarted I end up in the same boat.

After server restarts, iptables is essentially empty and allowing full access to the box. Issuing iptables-restart results with the INPUT chain *only* loaded, which knocks out all access to the server.

When running, GO-PUBLIC-16-15, you're putting in your server's SIP FQDN at both prompts? Correct??
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
When running, GO-PUBLIC-16-15, you're putting in your server's SIP FQDN at both prompts? Correct??
Yes, and I only use 1 FQDN, and I only open 1 SIP URI to Lenny, just cuz. No plans to actually use SIP URI.
 

Members online

No members online now.

Forum statistics

Threads
25,781
Messages
167,507
Members
19,201
Latest member
troutpocket
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top