Dynamic ip's added to firewall

I don’t want to use the responsive firewall, I know it exists and can allow remote workers in but I want to be very specific about the IP’s I let in.

I am looking to dynamically add authorized IP’s to our firewall that have successfully authenticated with our web application. We currently have a URL we can make a request to and get a list of authorized IP’s. What we were doing in the past with our old PBX system is making a request to the previously mentioned URL and looping over each one of the IP’s and adding them to a whitelist for SIP traffic in our iptables firewall. This method has worked excellent for us for many years and we want to implement this in our current FreePBX installation.

I have already setup a cron job that executes a script every 5 minutes containing the following:


URL="https://example.com/authorizedIPsListURL"
OUTFILE=`mktemp`

/sbin/iptables -F fpbxregistrations
/sbin/iptables -A fpbxregistrations

wget -q --no-cookies -nv -O ${OUTFILE} ${URL} || exit 255

egrep '^[0-9]' ${OUTFILE} | while read f
do
        /sbin/iptables -I fpbxregistrations -s ${f} -j ACCEPT
done

rm ${OUTFILE}

I can see that the IP’s are added but only temporarily, they seem to be wiped out after a few seconds and I can’t seem to figure out why. I am guessing FreePBX is doing it but maybe I am setting the rules incorrectly. Can anyone explain why or how I can make sure that the authorized IP’s I add will remain in the chain?

I have read about using the /etc/firewall-4.rules file but it seems that only gets read one time. My initial thought was to just have the cron job update the rules file every 5 minutes but being that it is only read once that wouldn’t work. Any help is greatly appreciated.

https://wiki.freepbx.org/display/FPG/Firewall+Command+Line

Are you not able to just:

/usr/sbin/fwconsole firewall trust x.x.x.x
3 Likes

I didn’t know that existed but it looks promising. I will take a look at it and see if it works. Since our script updates the list every 5 minutes I am curious to see how it would handle it if they already exist in trusted and how easily I can clear out trusted IP’s every 30 days or so and rebuild the list. Thanks for the info I will report back my findings.

Adding multiple entries with a single command

[root@lorne14-pro ~]# fwconsole firewall add trusted google.com 4.5.6.7/16
Attempting to add 'google.com' to Zone 'trusted' ... Success!
Attempting to add '4.5.6.7/16' to Zone 'trusted' ... Success!

[root@lorne14-pro ~]# fwconsole firewall list trusted
All entries in zone 'trusted':
        google.com
        4.5.6.7/16

[root@lorne14-pro ~]# fwconsole firewall del trusted google.com
Attempting to remove google.com from 'trusted' Zone ... Success!
[root@lorne14-pro ~]# fwconsole firewall list trusted
All entries in zone 'trusted':
        4.5.6.7/16

Please share you hacks carefully written scrips with us when you’re done :grinning: I once wrote an AGI that would allow you to whitelist an IP by calling the PBX and entering DTMF, but lost it and never recreated it.

1 Like

So I have been playing around with this for a while and I have it adding IP’s to the zones inside the GUI like I want but it doesn’t add them to iptables until I restart the firewall or FreePBX. I am doing this on a fresh install with the latest software. I also noticed removing them keeps them inside of iptables as well which is still allowing the remote connection to work until I restart the firewall. I assume this isn’t the intended behavior but feel free to correct me if I am wrong?

If you update the tables directly, you need to reload the tables, but if you use the “fwconsole …” command, it should update the firewall directly.

I am using the fwconsole command as @lgaetz suggested but when I run iptables -L immediately after adding it, the ip address I just added doesn’t appear.

When you try this, what does it tell you?

Shows me the IP addresses I just added. But I believe this may be pulling it from the database, I could be wrong though.

It’s pulling from the same source the Integrated Firewall is pulling it from.

I am doing these commands and don’t see it added to iptables. However if I go into the GUI and add 8.8.8.8 and then immediately run the iptables -L | grep google command it finds it in the list.
image

After adding through GUI
image

Shoot, there may be an open ticket on this. On mobile will link later if no one beats me to it.

edit: ticket is here https://issues.freepbx.org/browse/FREEPBX-18511

2 Likes

I might take a look tonight and see if I can tackle that open ticket

1 Like

I opened a pull request that fixes the problem https://github.com/FreePBX/firewall/pull/2

2 Likes

@lgaetz I want to start running my modified version of the firewall module until my pull request gets merged and released. However I seem to be having difficulty getting it to run with a locally signed key, it just fails to start because the module signature is different and turning off signature checking didn’t help.

I am waiting for my gpg key to be added to the FreePBX trust web, but was looking for a work around until that is complete. The only way I can get the firewall to run with the modified code is to manually add the changes to the file while FreePBX is running but obviously this isn’t a good idea.

Do you have any suggestions or do I have to wait until it is released or my key is signed and added?

Unfortunately I do not, but perhaps @xrobau can provide a pointer as he is very familiar with both firewall and module signing.

Things that run as root have a second level of whitelisting. I saw your pull request and I’ll build you a package with your changes.

1 Like

Awesome thank you!

I signed the module, and @BigB confirmed it worked - I’ll update phonebo.cx with the link, but here’s the updated module for those that are playing along at home.

https://cdn.phonebo.cx/modules/firewall/firewall-13.0.58.2.tar.gz

I do remember this ORIGINALLY being a design decision, as I was being (in retrospect) overly paranoid, but it seems unwarranted.

2 Likes

Quitting after test 1 with 100% success rate:

[root@vvs ~]# fwconsole firewall add trusted 1.2.3.4/32
Attempting to add '1.2.3.4/32' to Zone 'trusted' ... Success!

[root@vvs ~]# fwconsole firewall list trusted
All entries in zone 'trusted':
        1.2.3.4/32

[root@vvs ~]# iptables-save | grep 1.2.3.4
-A fpbxnets -s 1.2.3.4/32 -j zone-trusted

[root@vvs ~]# fwconsole firewall del trusted 1.2.3.4
Attempting to remove 1.2.3.4 from 'trusted' Zone ... Success!

[root@vvs ~]# fwconsole firewall list trusted
All entries in zone 'trusted':

[root@vvs ~]# iptables-save | grep 1.2.3.4
[root@vvs ~]#
2 Likes