SOLVED IPtables blocking valid IP

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
This is on Incredible 13-12.3 for SL 6.7
IPtables version = v1.4.7
Server Hosted on Vultr

IPtable is whitelisted, and phones register fine. But on occasion, I've found phones being unregistered (about 3 or 4 days later). If I do a service iptables stop, devices start registering again, and then I can start iptables again. Any clues? Where do I even look to find out why this is going on? Very puzzled.
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
I have no idea - but have you checked the jailed IPs? Just a thought.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
I have no idea - but have you checked the jailed IPs? Just a thought.

I disabled fail2ban a couple weeks ago, but still can happen. I'm still investigating. Hard to track when it happens once / week. Now have report that will let me know exactly when it occurs to see if there is any correlation with any Cron jobs.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Think I found it ... reading through the iptables, but let's see after I tweak these settings.
I'm going to change the rate limiting parameters to make it 10x less stringent.


Code:
#drop sipvicious attacks
-I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sundayddr" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipsak" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipvicious" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "iWar" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sip-scan" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "pplsip" --algo bm
# End sip attacks
# Rate Limiting
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --set --name TooManyAttempts
#-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 101 --name TooManyAttempts -j DROP
#-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 20 --name TooManyAttempts -j DROP
#-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 10 --name TooManyAttempts -j DROP
#-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 5 --name TooManyAttempts -j DROP
-A INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 3 --name TooManyAttempts -j DROP
# End Rate Limiting
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
check this thread, it might help

Thanks - been following that thread. I did do an iptable restart each morning for checking any FQDN changes, and that's entirely possible that fail2ban was getting in the middle. I ended up disabling fail2ban and still encountering issues, so I determined that I had a too stringent rate limiting that limited how many 5060 packets I could get from one IP in a time range. No issues in one week now, but if it happens again, I'll update with cause/effect.
 

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
Out of curiosity, what location hosts your Vultr VM? I use one in Atlanta and, fortunately, have not experienced issues. Also, I'm running on CentOS 6.10.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Out of curiosity, what location hosts your Vultr VM? I use one in Atlanta and, fortunately, have not experienced issues. Also, I'm running on CentOS 6.10.

Majority of my servers are in Atlanta, but as stated, I feel my issue was related to my IPtables setting of rate limiting. This was on a server that had worked properly on Vultr for a couple of years and I can't state specifically from timeline, but I feel that I updated the iptables with this and other settings to make it tighter on security and feel this is the issue.
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
I use Vultr server in Seattle. the saga continues for me. I was able to whitelist the IP by adding them to the fail21ban/jail.conf but the hardphone wont register at all. This was a Centos 6.10 install. then on a whim I installed incrediblePBX using the ISO scientific linux provided by Ward. So far it seems to work. I did not have to add the IP to the fail2ban, just adding whitelisted IP to the iptables worked, The phone registered immediately. So far I am in test mode, I would like to migrate my small 8 lines inhouse server to vultr. Hopefully this will work.

I did a test install on OVH and this install gave me no problems at all but this server is across the country for me.

I am no expert, as far as I understand it should not be a difference between these installs.
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
Please post the contents of /etc/rc.local.

This is for the server I have trouble with the phone not registering

Code:
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
sleep 5
/root/sig-fix
sleep 5
/usr/local/sbin/iptables-restart
sleep 5
/usr/local/sbin/fwconsole start
sleep 10
exit 0
 
Last edited by a moderator:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Is the problem phone a SIP phone, cellphone, or what? And where is it located in comparison to the server? Does it share an IP address with any of your PCs that connect to this same server??

Can we also see /usr/local/sbin/iptables-restart.
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
Is the problem phone a SIP phone, cellphone, or what? And where is it located in comparison to the server? Does it share an IP address with any of your PCs that connect to this same server??

Can we also see /usr/local/sbin/iptables-restart.
Is the problem phone a SIP phone, cellphone, or what? And where is it located in comparison to the server? Does it share an IP address with any of your PCs that connect to this same server??

Can we also see /usr/local/sbin/iptables-restart.

I tried a hardphone Yealink to connect to the extension, it does not register. The phone is at work, behind a pfsense firewall. Registration fail to the IncrediblePBX Centos 6.10 installed on vultr in Seattle.
I tried to paste the iptables-restart and there is a code which is detected by the forum as harmful and i can not paste it in my message.
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
this is iptables-restart in pdf format
 

Attachments

  • iptables-restart.pdf
    198 KB · Views: 4

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
iptables-restart and rc.local look fine.

/var/log/asterisk/full and Asterisk CLI should tell you why the registration is failing. Have you forwarded any ports from the pfsense firewall to the phone? Is UDP 5060 forwarded somewhere else on your pfsense firewall?? What type SIP extension are you attempting to connect to?
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
in the log it states
Peer '701' is trying to register, but not configured as host=dynamic
Peer is not supposed to register
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
in the log it states
Peer '701' is trying to register, but not configured as host=dynamic
Peer is not supposed to register

Are you trying to register to the default 701 chan_sip extension??

If so, have you changed anything? In the extension settings for 701 under the Advnaced tab, what is the Host entry??

What entries have you made for the Yealink side that differ from the defaults? See Step #2 of this PDF guide and compare to your settings.
===================================================

Here's another quick setup guide:

On your Yealink phone, press Menu then 1. You will see its IP address.

Open that address in your browser. You should see a login page. Enter ‘admin’ (without the quotes) for both Username and Password. Click Confirm.

Click the Account tab. Set Line Active to Enabled. Fill in Label and Display Name as desired. Put the extension number (701) into both Register Name and User Name. Put the secret for the extension into Password. Under SIP Server 1, set Server Host to the IP address of your PBX and set the port number to 5060 for chan_sip. Press Confirm.
 
Last edited:

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
Are you trying to register to the default 701 chan_sip extension??

If so, have you changed anything? In the extension settings for 701 under the Advnaced tab, what is the Host entry??

What entries have you made for the Yealink side that differ from the defaults? See Step #2 of this PDF guide and compare to your settings.
===================================================

Here's another quick setup guide:

On your Yealink phone, press Menu then 1. You will see its IP address.

Open that address in your browser. You should see a login page. Enter ‘admin’ (without the quotes) for both Username and Password. Click Confirm.

Click the Account tab. Set Line Active to Enabled. Fill in Label and Display Name as desired. Put the extension number (701) into both Register Name and User Name. Put the secret for the extension into Password. Under SIP Server 1, set Server Host to the IP address of your PBX and set the port number to 5060 for chan_sip. Press Confirm.
it looks the problem happens during the latest Centos 6 install.
When you enter the password for extension 701 it overrides all the settings in the advanced tab with the password you just entered. At least it did it for me.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Are we talking about running the update-passwords script? How are you setting the ext. 701 password?
Nothing in our script would "override all the settings in the advanced tab."

Are you using pure alphanumeric characters in the password??
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
at the end of Full Enchilada script among other things you are prompted for a password for extension 701. I put some random characters. I think were all alpha but I am not sure. I can run the install again and see what happens.

I apologize for all of this. You are doing a great job and I am thankful for all the good work you put into IncrediblePBX.

I hope is not me making a trivial mistake.
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top