SOLVED IPtables blocking valid IP

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,485
Reaction score
386
Location
South Florida
This is on Incredible 13-12.3 for SL 6.7
IPtables version = v1.4.7
Server Hosted on Vultr

IPtable is whitelisted, and phones register fine. But on occasion, I've found phones being unregistered (about 3 or 4 days later). If I do a service iptables stop, devices start registering again, and then I can start iptables again. Any clues? Where do I even look to find out why this is going on? Very puzzled.
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
524
Reaction score
77
I have no idea - but have you checked the jailed IPs? Just a thought.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,485
Reaction score
386
Location
South Florida
I have no idea - but have you checked the jailed IPs? Just a thought.
I disabled fail2ban a couple weeks ago, but still can happen. I'm still investigating. Hard to track when it happens once / week. Now have report that will let me know exactly when it occurs to see if there is any correlation with any Cron jobs.
 
  • Like
Reactions: wardmundy

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,485
Reaction score
386
Location
South Florida
Think I found it ... reading through the iptables, but let's see after I tweak these settings.
I'm going to change the rate limiting parameters to make it 10x less stringent.


Code:
#drop sipvicious attacks
-I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sundayddr" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipsak" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipvicious" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "iWar" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sip-scan" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "pplsip" --algo bm
# End sip attacks
# Rate Limiting
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --set --name TooManyAttempts
#-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 101 --name TooManyAttempts -j DROP
#-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 20 --name TooManyAttempts -j DROP
#-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 10 --name TooManyAttempts -j DROP
#-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 5 --name TooManyAttempts -j DROP
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 3 --name TooManyAttempts -j DROP
# End Rate Limiting
 
  • Like
Reactions: wardmundy

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,485
Reaction score
386
Location
South Florida
check this thread, it might help
Thanks - been following that thread. I did do an iptable restart each morning for checking any FQDN changes, and that's entirely possible that fail2ban was getting in the middle. I ended up disabling fail2ban and still encountering issues, so I determined that I had a too stringent rate limiting that limited how many 5060 packets I could get from one IP in a time range. No issues in one week now, but if it happens again, I'll update with cause/effect.
 

kenn10

Guru-ish
Joined
Dec 16, 2007
Messages
845
Reaction score
148
Out of curiosity, what location hosts your Vultr VM? I use one in Atlanta and, fortunately, have not experienced issues. Also, I'm running on CentOS 6.10.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,485
Reaction score
386
Location
South Florida
Out of curiosity, what location hosts your Vultr VM? I use one in Atlanta and, fortunately, have not experienced issues. Also, I'm running on CentOS 6.10.
Majority of my servers are in Atlanta, but as stated, I feel my issue was related to my IPtables setting of rate limiting. This was on a server that had worked properly on Vultr for a couple of years and I can't state specifically from timeline, but I feel that I updated the iptables with this and other settings to make it tighter on security and feel this is the issue.
 

Eliad

Member
Joined
Aug 13, 2017
Messages
148
Reaction score
22
I use Vultr server in Seattle. the saga continues for me. I was able to whitelist the IP by adding them to the fail21ban/jail.conf but the hardphone wont register at all. This was a Centos 6.10 install. then on a whim I installed incrediblePBX using the ISO scientific linux provided by Ward. So far it seems to work. I did not have to add the IP to the fail2ban, just adding whitelisted IP to the iptables worked, The phone registered immediately. So far I am in test mode, I would like to migrate my small 8 lines inhouse server to vultr. Hopefully this will work.

I did a test install on OVH and this install gave me no problems at all but this server is across the country for me.

I am no expert, as far as I understand it should not be a difference between these installs.
 

Eliad

Member
Joined
Aug 13, 2017
Messages
148
Reaction score
22
Please post the contents of /etc/rc.local.
This is for the server I have trouble with the phone not registering

Code:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
sleep 5
/root/sig-fix
sleep 5
/usr/local/sbin/iptables-restart
sleep 5
/usr/local/sbin/fwconsole start
sleep 10
exit 0
 
Last edited by a moderator:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
Is the problem phone a SIP phone, cellphone, or what? And where is it located in comparison to the server? Does it share an IP address with any of your PCs that connect to this same server??

Can we also see /usr/local/sbin/iptables-restart.
 

Eliad

Member
Joined
Aug 13, 2017
Messages
148
Reaction score
22
Is the problem phone a SIP phone, cellphone, or what? And where is it located in comparison to the server? Does it share an IP address with any of your PCs that connect to this same server??

Can we also see /usr/local/sbin/iptables-restart.
Is the problem phone a SIP phone, cellphone, or what? And where is it located in comparison to the server? Does it share an IP address with any of your PCs that connect to this same server??

Can we also see /usr/local/sbin/iptables-restart.
I tried a hardphone Yealink to connect to the extension, it does not register. The phone is at work, behind a pfsense firewall. Registration fail to the IncrediblePBX Centos 6.10 installed on vultr in Seattle.
I tried to paste the iptables-restart and there is a code which is detected by the forum as harmful and i can not paste it in my message.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
iptables-restart and rc.local look fine.

/var/log/asterisk/full and Asterisk CLI should tell you why the registration is failing. Have you forwarded any ports from the pfsense firewall to the phone? Is UDP 5060 forwarded somewhere else on your pfsense firewall?? What type SIP extension are you attempting to connect to?
 

Eliad

Member
Joined
Aug 13, 2017
Messages
148
Reaction score
22
in the log it states
Peer '701' is trying to register, but not configured as host=dynamic
Peer is not supposed to register
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
in the log it states
Peer '701' is trying to register, but not configured as host=dynamic
Peer is not supposed to register
Are you trying to register to the default 701 chan_sip extension??

If so, have you changed anything? In the extension settings for 701 under the Advnaced tab, what is the Host entry??

What entries have you made for the Yealink side that differ from the defaults? See Step #2 of this PDF guide and compare to your settings.
===================================================

Here's another quick setup guide:

On your Yealink phone, press Menu then 1. You will see its IP address.

Open that address in your browser. You should see a login page. Enter ‘admin’ (without the quotes) for both Username and Password. Click Confirm.

Click the Account tab. Set Line Active to Enabled. Fill in Label and Display Name as desired. Put the extension number (701) into both Register Name and User Name. Put the secret for the extension into Password. Under SIP Server 1, set Server Host to the IP address of your PBX and set the port number to 5060 for chan_sip. Press Confirm.
 
Last edited:

Eliad

Member
Joined
Aug 13, 2017
Messages
148
Reaction score
22
Are you trying to register to the default 701 chan_sip extension??

If so, have you changed anything? In the extension settings for 701 under the Advnaced tab, what is the Host entry??

What entries have you made for the Yealink side that differ from the defaults? See Step #2 of this PDF guide and compare to your settings.
===================================================

Here's another quick setup guide:

On your Yealink phone, press Menu then 1. You will see its IP address.

Open that address in your browser. You should see a login page. Enter ‘admin’ (without the quotes) for both Username and Password. Click Confirm.

Click the Account tab. Set Line Active to Enabled. Fill in Label and Display Name as desired. Put the extension number (701) into both Register Name and User Name. Put the secret for the extension into Password. Under SIP Server 1, set Server Host to the IP address of your PBX and set the port number to 5060 for chan_sip. Press Confirm.
it looks the problem happens during the latest Centos 6 install.
When you enter the password for extension 701 it overrides all the settings in the advanced tab with the password you just entered. At least it did it for me.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
Are we talking about running the update-passwords script? How are you setting the ext. 701 password?
Nothing in our script would "override all the settings in the advanced tab."

Are you using pure alphanumeric characters in the password??
 

Eliad

Member
Joined
Aug 13, 2017
Messages
148
Reaction score
22
at the end of Full Enchilada script among other things you are prompted for a password for extension 701. I put some random characters. I think were all alpha but I am not sure. I can run the install again and see what happens.

I apologize for all of this. You are doing a great job and I am thankful for all the good work you put into IncrediblePBX.

I hope is not me making a trivial mistake.
 
  • Like
Reactions: wardmundy

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,262
Messages
136,420
Members
14,501
Latest member
yeoldroundabout