Firewall iptables custom rules

sergiocesar · September 21, 2016, 11:44pm

Just installed a new box with the latest distro and updated all modules.
setup some phones and things are working but…
how can i add some custom rules to do IP Forwarding so I can allow my phones to get ntp info and updates directly from a public update server?
I did set /etc/sysctl.conf for ipv4 forwarding net.ipv4.ip_forward = 1 andI cant find any iptables rulles that will allow ipforwarding.
thanks

bksales · September 23, 2016, 3:26pm

you should not need to do anything with the firewall. are you seeing ntp being blocked?

sergiocesar · September 23, 2016, 4:09pm

yes, I also try to update a few phones that gets its new firmware from the internet and no go.
looking at the iptables I dont see any rule that would allow NAT masquerading
I was expecting something like this:
*nat
#masq to public ETH
-A POSTROUTING -o eth0 -j MASQUERADE
#masq to public TUNNEL VPN
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

bksales · September 23, 2016, 5:35pm

are your phones internal (inside the firewall and on the same network as the pbx)? or are your phones connecting via the internet to a remote pbx?

i don’t understand why your phones would be pulling firmware from the internet. they should be pulling it from the pbx.

are you using the freebox firewall that came with the distro?

we use internet based time servers for almost all our phones and don’t have any issues.

sergiocesar · September 26, 2016, 10:58am

Yes, all phones are internal. I have polycom vvx that we can update firmware directly from polycom.

Yes I am using the firewall that came with the distro.
Don’t understand how can your phones communicate with the internet at all if the firewall won’t allow masquerading.

I have attaches a laptop to the phone network and try to ping a public address and no go.
I see no provision on the firewall configuration where to enable masquerading or to add a customer rule.

bksales · September 27, 2016, 8:54pm

how is the phone network setup? modem->router->switch? unless you are using the pbx as a router the distro firewall will have no effect on the ability of the laptop to connect to the outside world. i guess i just don’t know enough about your network to offer any suggestions.

ckatra · October 31, 2017, 1:37pm

I have the same issue. Was this ever resolved? My setup is phones are on internal network eth4 , eth1 is the external interface . Phones work but they are configured to get time from pool.ntp.org. they can’t go to the internet. I’m running Freepbx 14 Sangoma 300 with the firewall module. I am assuming this is an iptables issue or missing rule.

bksales · December 7, 2017, 7:51pm

if your phones are on an internal network that cannot reach the internet then you have to change the time server the phones use. if you are careful you can turn on the time server in the pbx and use that

ckatra · December 12, 2017, 3:53pm

Thanks Bob. You are 100% correct it was the time. I started ntpd and everything works now. Thanks