SOLVED Travelin Man not updating whitelist (Green / Asterisk11)

[LetMeSee]

I have just loaded the green version with Asterisk 11. I installed the incredible package then let the TravelinMan install.

I will admit that I have not configured any Dynamic Moe Larry or Currley addresses yet, but was trying to get the knock working.

When I go to the web site for travelin man I do get the IP show and the CORRECT extension (which I did setup in the web script as well as the custom file in etc). However, even though it appears to work it does not.

The web script executes a sudo command to insert the external IP into the IPTables in the WHITELIST chain. This is failiing. I tried this from a command line and it states the chain WHITELIST does not exist.

I would expect somewhere I have a messed up install since I would expect a chain WHITELIST to be there with the proper ports linked to it.

Anyone can tell me how to find the source of the whitelist creation and what may have gone wrong? Everything else appears to be working just fine.

Thanks

 

[imfloridaguy]

I dont know if it's related, but I did an install last week and couldn't get the endpoint manager to work right.
Actaully, the EPM was probably fine; it's just that via ftp or t*f*t*p the phones can't reach the server.

 

[LetMeSee]

I did have issue with the new install, but none that I thought would cause an issue. I have not checked the endpoint manager, but I have moved over my t*f*t*p files from my existing server and they were uploaded to the phones I tested alright. That means t*f*t*p is working.

The install issue I had was in the menu setup. After the initial install, I could not select the green package. I would get through the first prompt, which was choosing the type of install (VPN...) which I selected the default first item for no special changes. Then there are a few confirming screens then you get a choice for the package. Before I could even down arrow 3 times to the green I got a prompt and the menu was no longer active.

I found the install in \usr\local\sbin and kicked it in. Then I could select and there were no further issues.

 

[LetMeSee]

Well,

I patched it. I have no idea if I'm causing a real security issue (sudo root on asterisk) but here it is:

1: Missing WHITELIST in iptables. - edit the file that creates the tables - /root/secure-iptables and add just above the comment for end of trusted provider section this:
-N WHITELIST

2: The edit the sudoers file - /etc/sudoers - to add the line
asterisk ALL = NOPASSWD: /sbin/iptables
at the very bottom.
3: Edit the web page - /var/www/travelman/37272/index.php -
chenge these lines:
exec('sudo /sbin/iptables -D WHITELIST -s '.$thisip.' -j ACCEPT');
exec('sudo /sbin/iptables -A WHITELIST -s '.$thisip.' -j ACCEPT');

to these lines:
exec('sudo /sbin/iptables -D WHITELIST -p udp -m udp -s '.$thisip.' --dport 5060 -j ACCEPT');
exec('sudo /sbin/iptables -A WHITELIST -p udp -m udp -s '.$thisip.' --dport 5060 -j ACCEPT');

I only opened the default single port 5060. This could be done with dports (multiple ports) above or by setting the ports in the iptables chain.

 

[LetMeSee]

Also - dont forget to rerun the patched file ./root/secure-iptables to create the WHITELIST chain in iptables.

 

[wardmundy]

Please post the output from status so we can figure out what's going wrong. Thanks.

 

[LetMeSee]

Please post the output from status so we can figure out what's going wrong. Thanks.

 

[LetMeSee]

I get broken pipe and cannot run status to file.

File "/usr/lib/python2.6/logging/__init__.py", line 800, in emit
self.flush()
File "/usr/lib/python2.6/logging/__init__.py", line 762, in flush
self.stream.flush()
IOError: [Errno 32] Broken pipe
Traceback (most recent call last):
File "/usr/lib/python2.6/logging/__init__.py", line 800, in emit
self.flush()
File "/usr/lib/python2.6/logging/__init__.py", line 762, in flush
self.stream.flush()
IOError: [Errno 32] Broken pipe

 

[wardmundy]

So what type of server is it, and what have you installed?? Can you not run status either?

 

[LetMeSee]

It is about the 5th reload on a Hyper-V server. I found a few errors and a way around them. This build is stable with calls, google voice in and out as well as faxing in and out.

This is 32 bit. Cent 6.4, 2.11 FreePBX, 2.6.4 Green (6/29/13)

If I load from cd with more than 1 core, I get stuck at the point I cant select the green package (drops to a prompt) and have to continue it using the source in usr\local\sbin. However, with only 1 core, everything installs right to the point of adding the incred pack.

So I'm going to fire up 2 remaining versions on vitrual and see if they produce status.

 

[LetMeSee]

It is about the 5th reload on a Hyper-V server. I found a few errors and a way around them. This build is stable with calls, google voice in and out as well as faxing in and out.

This is 32 bit. Cent 6.4, 2.11 FreePBX, 2.6.4 Green (6/29/13)

If I load from cd with more than 1 core, I get stuck at the point I cant select the green package (drops to a prompt) and have to continue it using the source in usr\local\sbin. However, with only 1 core, everything installs right to the point of adding the incred pack.

So I'm going to fire up 2 remaining versions on vitrual and see if they produce status.

I can run just status. And 1 other vm refuses to run status to file nad also runs status after I left the update run or I just type it in.

 

[LetMeSee]

OK final count. All three remaining VM's break in the same place when status to file is run. All three run the updates as well as normal status.

This is on Hyper V 2012, Dual Xeon E5-2670 (32 cores total)

 

[LetMeSee]

 

[LetMeSee]

Ward, this is my personal office system. If you would like remote access to any or all the VM's I can give you access to my VM Server. I can also open any ports you need to any of the three VM's for WinScp or Putty.

My patch above works well for some remote phones (my sons dorm) but not for my cell phone since the iptables shows 172.sub-174...myvzw.com - proxy. So in the case of my cell phone I will need to use DynDns and a client. Time to configure Moe, Larry and Curley.

Calling it quits for tonight.

 

[wardmundy]

If I load from cd with more than 1 core, I get stuck at the point I cant select the green package (drops to a prompt) and have to continue it using the source in usr\local\sbin. However, with only 1 core, everything installs right to the point of adding the incred pack.

If you ever get dumped to a command prompt, simply log in as root and run piafdl to restart things. FYI: This is also covered in the readme.txt file displayed on SourceForge.

 

[LetMeSee]

Follow up.

I had an issue with the revision listed above for the whitelist. Eliminate #3 in my steps above and leave in the original commands:
exec('sudo /sbin/iptables -D WHITELIST -s '.$thisip.' -j ACCEPT');
exec('sudo /sbin/iptables -A WHITELIST -s '.$thisip.' -j ACCEPT');

I'm only allowing a single UDP port 5060 and a few UDP ports in the 10000 to 20000 in my external firewall so that change was redundant - if it worked right.

 

[ariban]

Well,

I patched it. I have no idea if I'm causing a real security issue (sudo root on asterisk) but here it is:

1: Missing WHITELIST in iptables. - edit the file that creates the tables - /root/secure-iptables and add just above the comment for end of trusted provider section this:
-N WHITELIST

2: The edit the sudoers file - /etc/sudoers - to add the line
asterisk ALL = NOPASSWD: /sbin/iptables
at the very bottom.

i did the above and reran ./secure-iptables however it stopped my remote phones from connecting, so i removed the -n whitelist and reran secure-iptables and the remote phones connect again however i am having the problem that the iptables doesnt restart automatically when i move to a new location (while traveling).
any other advise how to help this?

 

[LetMeSee]

i did the above and reran ./secure-iptables however it stopped my remote phones from connecting, so i removed the -n whitelist and reran secure-iptables and the remote phones connect again however i am having the problem that the iptables doesnt restart automatically when i move to a new location (while traveling).
any other advise how to help this?

I ended up using just the normal INPUT section since I could not get the Whitlist section to inherit the allow of the INPUT tables reliably.

So here is the final on my system:
1: Edit the sudoers file - /etc/sudoers - to add the line
asterisk ALL = NOPASSWD: /sbin/iptables
at the very bottom.

2: Edit the web page - /var/www/travelman/37272/index.php -
change these lines:

exec('sudo /sbin/iptables -D WHITELIST -s '.$thisip.' -j ACCEPT');
exec('sudo /sbin/iptables -A WHITELIST -s '.$thisip.' -j ACCEPT');

to these lines:
exec('sudo /sbin/iptables -D INPUT -s '.$thisip.' -j ACCEPT');
exec('sudo /sbin/iptables -A INPUT -s '.$thisip.' -j ACCEPT');

I did not need to restart iptables at all. If you needed to you could do

exec('sudo /sbin/iptables-restart') after the above 2 lines.

Paul

 

[LetMeSee]

Also...

Hyper-V implementation of PIAF has been active in production for a week now with no issues. The SPA3002's on the other hand did kick me with a few settings issues - since I went from an internal card to external SPA3002 units + GV. Had to disable the jitter settings since I was connected to a cable companies pots line. Also echo is handled by them so that was an issue as well.

However, this latest build seems very stable.

 

[ariban]

Hi Paul,
above you said you were having issues when you changed the
2: Edit the web page - /var/www/travelman/37272/index.php -
change these lines:

exec('sudo /sbin/iptables -D WHITELIST -s '.$thisip.' -j ACCEPT');
exec('sudo /sbin/iptables -A WHITELIST -s '.$thisip.' -j ACCEPT');

to these lines:
exec('sudo /sbin/iptables -D INPUT -s '.$thisip.' -j ACCEPT');
exec('sudo /sbin/iptables -A INPUT -s '.$thisip.' -j ACCEPT');

and that we should NOT do it, now you are saying to do it, which one is it?

i did everything else and still i have to issue iptables restart in order for my iptables updates with the new IP address and then my remote phone connects. any other ideas?