TIPS Linux firewall Rules in Webmin

[jolebole]

Hello again,

I just compared the "Lean" and "Enchilada" FreePBX instances in Webmin and it looks like the IP addresses for all the SIP Trunk providers are missing in the Enchilada version. The trunks do show in FreePBX but no IP addresses in Linux Firewall rules in Webmin. They rules are identical as in the "Lean" version.

Thanks,

 

[mainenotarynet]

Do Not Play in Webmin - the Firewall files are 'scattered' in the new ways.

Use either SSH or even a program like WinSCP and look in /usr/local/sbin -- this is where you will find a file called iptables-custom - this has the Provide4r IPs and even your allowed IPs (read where the system grabbed the IP of your home computer) is at and any IPs or FQDN entries added with /root/add-ip (name) (ip) or /root/add-fqdn (name) (fqdn.tld)

These files are OUTSIDE of the 'main' iptables file that webmin looks for.

 

[jolebole]

Got it. Adding a IP is pretty easy with /root/ip-add command...But can I add a subnet with the same command or no ?

 

[ostridge]

But can I add a subnet with the same command

Probably it's easy enough to try and see if it shows up in

cat
/etc/iptables/rules.v4

 

[dhoppy]

Got it. Adding a IP is pretty easy with /root/ip-add command...But can I add a subnet with the same command or no ?

I asked the same question a while ago, and the answer was yes.

https://pbxinaflash.com/community/threads/adding-ip-ranges-to-whitelist.16473/#post-106507

 

[mainenotarynet]

ostridge, the iptalbes are in /usr/local/sbin/iptables_custom in newer (Enchilada on CentOS6.9 - at lest on mine anyways)

dhoppy -- OP didn't ask for Ranges -- he asked for subnets -- ip.of.bo.xx su.bn/ne.tX --e.g. 194.23.85.123 255.255.255.0 -- OP wants to whitelist the 255.255.255.0 part -- to that I do not think so, but I am not the expert on this part. Now if I read this wrong - I apologize, but subnet is not the same as an IP range.

 

[jerrm]

@mainenotarynet - @dhoppy's link is on point. The thread title is for "ranges" but all content discusses subnets.

@ostridge - as @dhoppy's linked thread suggests, you should be fine using CIDR notation with the current commands. The ip validation is liberal enough to allow CIDR. Only caveat is if @wardmundy does not fully sanction such use a future update could possibly break CIDRs.

 

[dhoppy]

Forgive me for playing fast and loose with my "subnets" and my "ranges." (I thought a subnet was a range of IPs, that could be expressed in CIDR notation). Oh, and I don't really care about the difference.

 

[dicko]

All 'subnets' are 'ranges' not all 'ranges' are 'subnets'.

https://en.wikipedia.org/wiki/Subnetwork

if a range is sequential , it is by definition either a 'subnet' or a set of 'subnets'. subnets can range from /32 (a host) to /0 which would need to be a power of 2 of the initial ip.

 

[wardmundy]

Rules are no longer stored exclusively in rules.v4 or /etc/sysconfig/iptables because you cannot safely restart IPtables with FQDNs embedded there. To see current rules, use:

iptables -nL

 

[jolebole]

Thanks for all the input guys!