FOOD FOR THOUGHT Iptables and Android/iOS for mobile registration : Another solution

raphou

Member
Joined
Nov 8, 2008
Messages
76
Reaction score
2
Hi all,

I wanted to share with you a solution I successfully put in place to better manage the firewall in the case of frequent changes of IPs (switch between data and wifi) on my mobile.


It has been running great for a few weeks now.

===========================================================================
Short-Story
===========================================================================

I have been using for a while a slightly modified version of Travelin'man 3 and it has been mostly good for my needs, except :


Prob 1: I hate captchas
------------------------
Using a service (noip.com and alikes) to handle another dynamic dns for my phone and have to "confirm" it every few weeks. Plus having to install an app specifically for that.


Prob 2: Not quick enough (cron job every x minutes to reload iptables)
----------------------------------------------------------------------
I'm using the excellent Groudwire app to connect to my PBX server, and especially their push notifications for registration (in a nutshell, they register my account on their SIPS server and they send a push notification to my phone in case of a call so my phone can register my pbx and take the call).
That way, I save a lot of battery as my phone doesn't have to keep an opened connection with the pbx.
The problem is that my phone could not reconnect to my PBX if that call is received in between two cron jobs in case of network change.




===========================================================================
Solution : OWNTRACKS (https://owntracks.org/) and MQTT (http://mqtt.org/)
===========================================================================

I had already Owntracks for some homeautomation and decided to reuse it.

OwnTracks allows you to keep track of your own location. You can build your private location diary or share it with your family and friends (...)
MQTT is a machine-to-machine (M2M)/"Internet of Things" connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport (...)

--------
Easiest
--------

Server
.......
PBX Server runs Mosquitto server (MQTT server) (https://mosquitto.org/) over SSL with an opened port in iptables.
As for security, you define client ids, username+password and client certificates.
(more here: http://www.steves-internet-guide.com/mqtt-security-mechanisms/)

Phone
.....
Owntracks on your phone is configured to use your server with the correct credentials
(More here: https://owntracks.org/booklet/features/tls/)

How it works (focused on network)
.................................
1/ (Phone) As soon as the network changes, Owntracks tries to make an initial connection to your server. (As per their doc : When using MQTT, the broker connection is not maintained permanently. A reconnect will be attempted regularly or when a message is sent.)
2/ (Server) The incoming IP is logged and the mosquitto server sends as a message with details of the connection (amongst them, origin IP) in a $SYS topic (mosquitto server health topic)
3/ (Server) A service/script subscribes to that topic and matches specific username and client-id. If matched, it sends an iptables delete command for the old IP and sends an iptables input command with that new IP.

The result is blazing fast (less then a second), so the phone IP is always allowed to the PBX.


--------------------
Harder (what I have)
--------------------

Server 1 (IOT)
..............
IOT Server runs Mosquitto server (MQTT server) (https://mosquitto.org/) over SSL with an opened port in iptables.
As for security, you define client ids, username+password and client certificates.
(more here: http://www.steves-internet-guide.com/mqtt-security-mechanisms/)

Server 2 (PBX)
..............
PBX Server SUBSCRIBING to that IOT Server (so no hole in iptables)

Phone
.....
Owntracks on your phone is configured to use your server with the correct credentials
(More here: https://owntracks.org/booklet/features/tls/)

How it works (focused on network)
.................................
1/ (Phone) As soon as the network changes, Owntracks tries to make a connection to your server.
2/ (IOT Server) The incoming IP is logged and the mosquitto server sends as a message with details of the connection (amongst them, origin IP) in a $SYS topic (mosquitto server health topic)
3/ (PBX Server) A service/script subscribes to that topic on the IOT server and matches specific username and client-id. If matched, it sends an iptables delete command for the old IP and sends an iptables input command with that new IP.
4/ (IOT Server) (Icing on the cake) It updates the DNS for that matching username on the free Digital Ocean DNS service (eg: myphoneuser.dyndns.mydomain.com) (see https://www.digitalocean.com/community/questions/dynamic-dns-with-v2-api-bash-script-using-curl-in-ubuntu)

The result is as blazing fast (less then a second), so the phone IP is always allowed to the PBX.


I will try to put together and clean my various bit of code here and there.

In the meantime, what do you think about this approach ?

Best,
Raph
 
  • Like
Reactions: dicko

tbrummell

Guru
Joined
Jan 8, 2011
Messages
667
Reaction score
80
Location
Ottawa, Canada
Interesting solution, but why not just deploy a 13-13 or 16-15 server with PUBLIC instructions? Assuming you are using Incredible and not 3CX.
 

raphou

Member
Joined
Nov 8, 2008
Messages
76
Reaction score
2
Interesting solution, but why not just deploy a 13-13 or 16-15 server with PUBLIC instructions? Assuming you are using Incredible and not 3CX.
Thanks! The main issue is the delay the cron job refreshes the iptables (via a dig on my FQDN ) when the network is changed on my mobile.
 

raphou

Member
Joined
Nov 8, 2008
Messages
76
Reaction score
2
Also, I forgot to mention that my PBX is cloud-based.
They allow us to update the firewall rules at their level by script.
I'm actually thinking about integrating that in my script.
@wardmundy, have you considered this solution in the past ?
Thanks !
 

raphou

Member
Joined
Nov 8, 2008
Messages
76
Reaction score
2
Have you read the PUBLIC solution? It allows all sip via FQDN. No need to wait for iptables to update.
I'm Incredible PBX/FAX 16-15.2 for Centos 7. I haven't seen that, no.
Well, it is just another/alternative solution that I have presented, which feeds my needs and that I wanted to share with the community. That is all...
 

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
351
Reaction score
17
Have you read the PUBLIC solution? It allows all sip via FQDN. No need to wait for iptables to update.
@tbrummell - how do you manage the pbx through the GUI when you deploy public version? Ssh into the system and disable iptables as needed?
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
667
Reaction score
80
Location
Ottawa, Canada
Use the ./add-ip to allow the IP you want to admin from. If you travel, like I do, I VPN to home, and I VNC to my desktop and admin from there, or add my hotel IP as needed. Depends what I need to do. It's nice that my remote clients just work, no matter where I am, or when I want to use them.
 

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
351
Reaction score
17
Use the ./add-ip to allow the IP you want to admin from. If you travel, like I do, I VPN to home, and I VNC to my desktop and admin from there, or add my hotel IP as needed. Depends what I need to do. It's nice that my remote clients just work, no matter where I am, or when I want to use them.
Would traveling man work with the public install? Could I do the same with add-fqdn?
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,520
Messages
138,557
Members
14,644
Latest member
goseph