rentbpx and iptables

[dad311]

In this article on nerdvittles, the iptables instructions state to configure iptables to allow connections from your home or office IP address. What if your home or office IP address is dynamic? If iptables is configured with your current IP and then your IP changes you will loose connectivity.

Is there a work around for this?

 

[wardmundy]

Travelin' Man.

 

[dad311]

Resolved I think. If you have a dynamic IP you can use "-s my.domain.com" instead of a IP address.

You will need to run a ip check script on you hosted PBX. I use this one, worked perfectly.

After creating the script, edit the crontab to look something like this:

*/5 * * * * /root/ip-check.sh > /root/ip-check.out

Now you hosted PBX will check the IP of your dynamic home IP address. If its different that whats in the log, it will update the log and reload iptables on your hosted PBX.

 

[tallship]

If you have a dynamic IP you can use "-s my.domain.com" instead of a IP address.

@dad311, I'm not following what you mean above. In what script do I place the "-s my.domain.com"?, as it relates to my DNS hostname?

You will need to run a ip check script on you hosted PBX. I use this one, worked perfectly.

After creating the script, edit the crontab to look something like this:

*/5 * * * * /root/ip-check.sh > /root/ip-check.out

Okay I've installed that script, and yes it works nicely. I also use a couple of other scripts such as ddclient and noip2, as they relate the dyndns services I'm using for the home pbx on dynamic IPs.

Now you hosted PBX will check the IP of your dynamic home IP address. If its different that whats in the log, it will update the log and reload iptables on your hosted PBX.

This is the part that I really don't get, and although I think it's related to the reference to the "-s my.domain.com" above, I'm not sure where piaf itself checks for the ip address and is forced to update it and restart iptables.

Might it also be a good idea for me to use sed to change the "ignoreip =" line in /etc/fail2ban/jail.conf too, and then do a reload of fail2ban?

Thanks,

Bradley

.

 

[dad311]

In the NV article that explains Hosted PBX configuration. I believe it mentioned setting up firewall rules (iptables) so you home IP address never gets locked out and all other unwanted IPs do. This info was great if your home IP was a static address. My home address is dynamic much like most users. Instead of using -s xxx.xxx.xxx.xxx, I used -s my.domain.com. By doing this, iptables will allow/deny based on my domain not my IP.

You should not need to use ddclient on the hosted machine because your hosted machine has a static ip. ddclient would only be used for your home network.