TRY THIS Travelin' Man3 IPtables Problem

M

Mohammad Ullah

New Member
Joined
Mar 6, 2016
Messages
3
Reaction score
0
I have had several local and cloud based incredible pbx install. I have to say that using Incredible PBX with travellingman3 does make the pbx very secure and rock solid however it is a nightmare for remote extensions as well as adding voip providers IP. I have tried to add static IP for the remote extensions using /root/add-ip command but it seems like iptables is not being rewritten with the new firewall rules and also when I check status it shows iptables is DN.
 
Please post the results from status or pbxstatus so we all know what type of server we're dealing with. Thanks.
 
Incredible PBX 13-12.2 for CentOS/SL 7

Asterisk: UP Apache: UP MariaDB: UP
SendMail: UP IPtables: UP SSH: UP
LAN port: UP Fail2Ban: UP Webmin: UP

RAM: 30G CentOS Linux v7 Disk:44G

Asterisk 13.7.2 Incredible GUI 12.0.30

Private IP: XX.XX.XXX.XXX

Public IP: XX.XX.XXX.XXX

System Time: Thu Apr 14 15:53:22 EDT 2016



< OK >

I have replaced the IP with XXX

I have added three different remote IP using /root/add-ip script and selected 1,2,3,4 to allow sip, iax and web for these remote IP. I am able to access the web but cannot register sip. However, I can register one of the remote IP using sip port 5061 even though all the extension were configured to listen on 5060.
 
Let's keep it simple until we figure out what the problem is. Set up another add-ip entry as 0 with a new name. No need to delete previous entries. Then at the Linux command prompt, type: iptables -nL and see if it's in the bottom of the list just above the Fail2Ban entries.

CgB289LW8AALk4_.jpg
 
Ok. I did add another name for one of the remote IP with all services (0) option. I get these errors:

The following whitelisted services were requested for XXX.XXX.XXX.XXX:
ALL Services
Redirecting to /bin/systemctl restart iptables-persistent.service
Failed to restart iptables-persistent.service: Unit iptables-persistent.service failed to load: No such file or directory.
IP address successfully added to WhiteList.

Also I see this new line on top of the previous entries before the fail2ban entries:

ACCEPT all -- XXX.XXX.XXX.XXX 0.0.0.0/0 (this new entry was added)
ACCEPT udp -- XXX.XXX.XXX.XXX 0.0.0.0/0 udp dpts:5060:5069
ACCEPT tcp -- XXX.XXX.XXX.XXX 0.0.0.0/0 tcp dpts:5060:5069
ACCEPT udp -- XXX.XXX.XXX.XXX 0.0.0.0/0 udp dpt:4569
ACCEPT tcp -- XXX.XXX.XXX.XXX 0.0.0.0/0 multiport dports 8

Note: Actual IP is replaced by XXX.XXX.XXX.XXX
 
When you run iptables-restart, does it show IPtables successfully started? Does it still show down in status? From what you've posted, it looks like the IP address is in the Firewall WhiteList so I suspect you have some other connection problem, e.g. mismatched ports or codecs.
 
I don't mean to hijack this thread, but I am also having these problems. I just installed PIAF at cloudatcost using the latest instructions, then immediately ran travelin' man 3. I can't seem to 'copy' status, and pbxstatus doesn't work, but IPtables is red and 'DN'. Also, I can't login via a web browser; I didn't try prior to running travelin' man 3. At least I can login, exit, and login again as root.

I ran ./add-fqdn, ./add-ip, 'amportal restart', and iptables-restart.

I think this firewall issue needs to be dealt with successfully, then I'll destroy this VM, wait a few days for cloudatcost to build a new one, and try to take that one more seriously. I suppose I'm pioneering. :) What do you think?
 
I know what you mean about waiting for Cloud at Cost to create your server.

You can practice for free, and re-create servers in minutes, at Digital Oceans. See this post: http://nerdvittles.com/?p=9236

Read: “Getting Started. Let’s walk through the entire process of creating a PBX in a Flash server and adding Incredible PBX 11 using a Digital Ocean droplet, and we’ll assume you hit a Digital Ocean server on a good day. First, you’ll need an account. You can sign up with our referral code and provide a little financial support to the Nerd Vittles project. That doesn’t cost you a dime. Here’s the link. As part of the sign up procedure, you’ll be prompted to enter a coupon code. SSDMAY10 will get you a $10 credit if you hurry. You still need to add at least $5 to your account either using a credit card or PayPal. We strongly recommend that you start with a minimal investment to make certain that Digital Ocean’s performance will meet your requirements. Test it regularly during your free trial period.”

Just create the same type of linux server that you want to use at CaC and use the same nerd tutorial.

When you got it down pat, trash D/O and install on CaC.

Just a thought...

One more thought:
No matter where you install, make sure to create a copy of the contents of /root/knock.FAQ and keep it on your desk, computer or phone. Knowing this info will keep you from ever being 'locked-out'.
I use "Port Knocker" on my android phone - it works flawlessly. I also use "JuiceSSH" to access my servers from my phone.
 
Last edited:
hillclimber said:
I don't mean to hijack this thread, but I am also having these problems. I just installed PIAF at cloudatcost using the latest instructions, then immediately ran travelin' man 3.
Click to expand...

What does "then immediately ran travelin' man 3" mean?? It's automatically installed as part of the build. Please document exactly what commands you issued and what the responses were at the completion of each command. Thanks
 
Okay, now I understand there was no need to download and run travelin' man. Here's what I did, from my bash history (with a little clean-up):
./IncrediblePBX*
cd /root
wget http://incrediblepbx.com/travelinman3.tar.gz
tar zxvf travelinman3.tar.gz
yum -y install bind-utils
./secure-iptables
./add-fqdn xxx xxx.example.com
passwd
status
./secure-iptables
amportal restart
iptables-restart
status
iptables -nL
I have not yet trashed the server at cloudatcost.com, but I did submit a request already to create a new one, (I have several units there now). Also, Robert Thompson makes a really good point, and I can use my time this weekend to create a server (and practice, practice, practice) at Digital Ocean, where I've had an account for years, use all the time, and won't be able to use the coupon codes, (but appreciate the suggestion!).

My misunderstanding came from reading this paragraph,
"There are other ways to gain access as well using the PortKnocker utility or Travelin’ Man 4 from a telephone. Both of these are covered in the Incredible PBX 13 tutorial so we won’t repeat it here."​
That's when I studied up on that stuff, and followed those steps. Plus some trouble-shooting. This the first time I ever tried to install PIAF in the cloud, so I've been a little paranoid about it.
 
Just follow this tutorial after creating a NEW 512MB CentOS 6.7-64 droplet. Be sure to change all of your passwords. add-ip and add-fqdn scripts already are in place in /root if you need them. Don't make any other improvements. :aureola:
 
You must log in or register to reply here.

Members online

Total: 59 (members: 2, guests: 57)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,410
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top