TUTORIAL IPtables WhiteList Updater for Remote Sites

I'm using this script to update ssh, web, etc iptables when the domain ip changes. Place the script in the crontab and run it every 30 minutes.

Assumptions: This presupposes that you have created FQDN's using a service such as DynDNS for your remote location, some sort of dynamic updating software on the same subnet as your remote location in order to keep DynDNS IP addresses current. It also assumes that you have blocked ssh, web, etc access to your server and then added ssh,web,etc entries to /etc/sysconfig/iptables with the FQDNs of your remote location:


Example for tcp port 22 (ssh) from iptables:

-A INPUT -p tcp -m tcp -s fqdn.dyndns.org --dport 22 -j ACCEPT



#!/bin/bash

fqdn="domain.com"
phone="mydomain"

iptest=`nslookup $fqdn | tail -2 | cut -f 2 -d " " | head -1`
if [ ! -s "$phone" ]; then
echo "1.1.1.1" > $phone
fi
iplast=`cat $phone`
if [ $iptest != $iplast ]; then
echo "Don't match"
echo "Dropped: $iplast"
echo "Added : $iptest ($phone: $fqdn)"
service iptables restart
echo $iptest > ipremote
# iptables -nL
exit 1;
else
echo "Matched: $iptest"
fi
 
Worked for me. As noted previously, it all depends upon the TTL of the DNS server. If the IP address has changed there, then the iptables reload will catch it. If not, it'll try again in 3 minutes or whatever you set in the crontab entry.

This should be perfect for sites on the Internet such as RentPBX. Now you can completely lock down SIP as well as the other services while preserving remote access.
 
My office has a dynamic IP address at the moment, and I think it's causing our phones to go out frequently. We're getting a static IP in about a week.

From what I can tell, I can use our router to connect to DynDNS and update our IP address as it changes.

So then should I simply hardcode the DynDNS domain into Asterisk somehow?
 
mark_o said:
My office has a dynamic IP address at the moment, and I think it's causing our phones to go out frequently. We're getting a static IP in about a week.

From what I can tell, I can use our router to connect to DynDNS and update our IP address as it changes.

So then should I simply hardcode the DynDNS domain into Asterisk somehow?
Click to expand...

If your have a Static IP, you can hardcode the static P address in iptables.
 
Right, but:
1) We don't have the static IP right now and I would like to get the phones working again (we just moved offices) and
2) So far we've had a lot of trouble with remote extensions, and since our PBX is on RentPBX, ALL of our extensions are remote and we are getting a lot of failed incoming calls. The calls are answered fine by the IVR but then routing them to the extensions fails.

Right now I think the main issue is the frequently changing IP address. Any ideas?
 
Do you have firewall settings for your remote extensions enabled on rentpbx? If so drop the firewall settings for SIP and make sure you have good extension passwords.

After the above, test your phones, see if the problem(s) go away.

Consider setting up a VPN server on your rentpbx. Connect you remote phones via VPN and never have to deal with dyndns or dynamic IPs.:smile5:

Wards scrip,t mentioned below is also a great solution. However, if you have a biz with heavy call volume and your IP is changing often, you sill might want to consider a VPN.
 
Follow this setup. Works great. Used it in the mountains (very remote) all of last weekend with no problems. You might have to adjust the nat setting for the remote extensions to yes in FreePBX on RentPBX.com. Other than that, it was simple.
 
Last edited by a moderator:
Glad to hear its been officially tested.

Any idea how often you IP changed?
 
You've got to replace ipremote with $phone or it won't work.


dad311 said:
I'm using this script to update ssh, web, etc iptables when the domain ip changes. Place the script in the crontab and run it every 30 minutes.

Assumptions: This presupposes that you have created FQDN's using a service such as DynDNS for your remote location, some sort of dynamic updating software on the same subnet as your remote location in order to keep DynDNS IP addresses current. It also assumes that you have blocked ssh, web, etc access to your server and then added ssh,web,etc entries to /etc/sysconfig/iptables with the FQDNs of your remote location:


Example for tcp port 22 (ssh) from iptables:

-A INPUT -p tcp -m tcp -s fqdn.dyndns.org --dport 22 -j ACCEPT



#!/bin/bash

fqdn="domain.com"
phone="mydomain"

iptest=`nslookup $fqdn | tail -2 | cut -f 2 -d " " | head -1`
if [ ! -s "$phone" ]; then
echo "1.1.1.1" > $phone
fi
iplast=`cat $phone`
if [ $iptest != $iplast ]; then
echo "Don't match"
echo "Dropped: $iplast"
echo "Added : $iptest ($phone: $fqdn)"
service iptables restart
echo $iptest > ipremote
# iptables -nL
exit 1;
else
echo "Matched: $iptest"
fi
Click to expand...
 
You must log in or register to reply here.

Members online

Total: 63 (members: 3, guests: 60)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,411
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top