I don’t want to use the responsive firewall, I know it exists and can allow remote workers in but I want to be very specific about the IP’s I let in.
I am looking to dynamically add authorized IP’s to our firewall that have successfully authenticated with our web application. We currently have a URL we can make a request to and get a list of authorized IP’s. What we were doing in the past with our old PBX system is making a request to the previously mentioned URL and looping over each one of the IP’s and adding them to a whitelist for SIP traffic in our iptables firewall. This method has worked excellent for us for many years and we want to implement this in our current FreePBX installation.
I have already setup a cron job that executes a script every 5 minutes containing the following:
URL="https://example.com/authorizedIPsListURL"
OUTFILE=`mktemp`
/sbin/iptables -F fpbxregistrations
/sbin/iptables -A fpbxregistrations
wget -q --no-cookies -nv -O ${OUTFILE} ${URL} || exit 255
egrep '^[0-9]' ${OUTFILE} | while read f
do
/sbin/iptables -I fpbxregistrations -s ${f} -j ACCEPT
done
rm ${OUTFILE}
I can see that the IP’s are added but only temporarily, they seem to be wiped out after a few seconds and I can’t seem to figure out why. I am guessing FreePBX is doing it but maybe I am setting the rules incorrectly. Can anyone explain why or how I can make sure that the authorized IP’s I add will remain in the chain?
I have read about using the /etc/firewall-4.rules file but it seems that only gets read one time. My initial thought was to just have the cron job update the rules file every 5 minutes but being that it is only read once that wouldn’t work. Any help is greatly appreciated.
I didn’t know that existed but it looks promising. I will take a look at it and see if it works. Since our script updates the list every 5 minutes I am curious to see how it would handle it if they already exist in trusted and how easily I can clear out trusted IP’s every 30 days or so and rebuild the list. Thanks for the info I will report back my findings.
[[email protected] ~]# fwconsole firewall add trusted google.com 4.5.6.7/16
Attempting to add 'google.com' to Zone 'trusted' ... Success!
Attempting to add '4.5.6.7/16' to Zone 'trusted' ... Success!
[[email protected] ~]# fwconsole firewall list trusted
All entries in zone 'trusted':
google.com
4.5.6.7/16
[[email protected] ~]# fwconsole firewall del trusted google.com
Attempting to remove google.com from 'trusted' Zone ... Success!
[[email protected] ~]# fwconsole firewall list trusted
All entries in zone 'trusted':
4.5.6.7/16
Please share you hacks carefully written scrips with us when you’re done I once wrote an AGI that would allow you to whitelist an IP by calling the PBX and entering DTMF, but lost it and never recreated it.
So I have been playing around with this for a while and I have it adding IP’s to the zones inside the GUI like I want but it doesn’t add them to iptables until I restart the firewall or FreePBX. I am doing this on a fresh install with the latest software. I also noticed removing them keeps them inside of iptables as well which is still allowing the remote connection to work until I restart the firewall. I assume this isn’t the intended behavior but feel free to correct me if I am wrong?
I am using the fwconsole command as @lgaetz suggested but when I run iptables -L immediately after adding it, the ip address I just added doesn’t appear.
I am doing these commands and don’t see it added to iptables. However if I go into the GUI and add 8.8.8.8 and then immediately run the iptables -L | grep google command it finds it in the list.
@lgaetz I want to start running my modified version of the firewall module until my pull request gets merged and released. However I seem to be having difficulty getting it to run with a locally signed key, it just fails to start because the module signature is different and turning off signature checking didn’t help.
I am waiting for my gpg key to be added to the FreePBX trust web, but was looking for a work around until that is complete. The only way I can get the firewall to run with the modified code is to manually add the changes to the file while FreePBX is running but obviously this isn’t a good idea.
Do you have any suggestions or do I have to wait until it is released or my key is signed and added?
I signed the module, and @BigB confirmed it worked - I’ll update phonebo.cx with the link, but here’s the updated module for those that are playing along at home.
I once wrote an AGI that would allow you to whitelist an IP by calling the PBX and entering DTMF, but lost it and never recreated it.
