FreePBX | Register | Issues | Wiki | Portal | Support

Dynamic ip's added to firewall


(Brandon Brown) #1

I don’t want to use the responsive firewall, I know it exists and can allow remote workers in but I want to be very specific about the IP’s I let in.

I am looking to dynamically add authorized IP’s to our firewall that have successfully authenticated with our web application. We currently have a URL we can make a request to and get a list of authorized IP’s. What we were doing in the past with our old PBX system is making a request to the previously mentioned URL and looping over each one of the IP’s and adding them to a whitelist for SIP traffic in our iptables firewall. This method has worked excellent for us for many years and we want to implement this in our current FreePBX installation.

I have already setup a cron job that executes a script every 5 minutes containing the following:


URL="https://example.com/authorizedIPsListURL"
OUTFILE=`mktemp`

/sbin/iptables -F fpbxregistrations
/sbin/iptables -A fpbxregistrations

wget -q --no-cookies -nv -O ${OUTFILE} ${URL} || exit 255

egrep '^[0-9]' ${OUTFILE} | while read f
do
        /sbin/iptables -I fpbxregistrations -s ${f} -j ACCEPT
done

rm ${OUTFILE}

I can see that the IP’s are added but only temporarily, they seem to be wiped out after a few seconds and I can’t seem to figure out why. I am guessing FreePBX is doing it but maybe I am setting the rules incorrectly. Can anyone explain why or how I can make sure that the authorized IP’s I add will remain in the chain?

I have read about using the /etc/firewall-4.rules file but it seems that only gets read one time. My initial thought was to just have the cron job update the rules file every 5 minutes but being that it is only read once that wouldn’t work. Any help is greatly appreciated.


(Lorne Gaetz) #2

https://wiki.freepbx.org/display/FPG/Firewall+Command+Line

Are you not able to just:

/usr/sbin/fwconsole firewall trust x.x.x.x

(Brandon Brown) #3

I didn’t know that existed but it looks promising. I will take a look at it and see if it works. Since our script updates the list every 5 minutes I am curious to see how it would handle it if they already exist in trusted and how easily I can clear out trusted IP’s every 30 days or so and rebuild the list. Thanks for the info I will report back my findings.


(Lorne Gaetz) #4

Adding multiple entries with a single command

[root@lorne14-pro ~]# fwconsole firewall add trusted google.com 4.5.6.7/16
Attempting to add 'google.com' to Zone 'trusted' ... Success!
Attempting to add '4.5.6.7/16' to Zone 'trusted' ... Success!

[root@lorne14-pro ~]# fwconsole firewall list trusted
All entries in zone 'trusted':
        google.com
        4.5.6.7/16

[root@lorne14-pro ~]# fwconsole firewall del trusted google.com
Attempting to remove google.com from 'trusted' Zone ... Success!
[root@lorne14-pro ~]# fwconsole firewall list trusted
All entries in zone 'trusted':
        4.5.6.7/16

Please share you hacks carefully written scrips with us when you’re done :grinning: I once wrote an AGI that would allow you to whitelist an IP by calling the PBX and entering DTMF, but lost it and never recreated it.


Fail2Ban Firewall commands
(Brandon Brown) #5

So I have been playing around with this for a while and I have it adding IP’s to the zones inside the GUI like I want but it doesn’t add them to iptables until I restart the firewall or FreePBX. I am doing this on a fresh install with the latest software. I also noticed removing them keeps them inside of iptables as well which is still allowing the remote connection to work until I restart the firewall. I assume this isn’t the intended behavior but feel free to correct me if I am wrong?


(Dave Burgess) #6

If you update the tables directly, you need to reload the tables, but if you use the “fwconsole …” command, it should update the firewall directly.


(Brandon Brown) #7

I am using the fwconsole command as @lgaetz suggested but when I run iptables -L immediately after adding it, the ip address I just added doesn’t appear.


(Dave Burgess) #8

When you try this, what does it tell you?


(Brandon Brown) #9

Shows me the IP addresses I just added. But I believe this may be pulling it from the database, I could be wrong though.


(Dave Burgess) #10

It’s pulling from the same source the Integrated Firewall is pulling it from.


(Brandon Brown) #11

I am doing these commands and don’t see it added to iptables. However if I go into the GUI and add 8.8.8.8 and then immediately run the iptables -L | grep google command it finds it in the list.
image

After adding through GUI
image


(Lorne Gaetz) #12

Shoot, there may be an open ticket on this. On mobile will link later if no one beats me to it.

edit: ticket is here https://issues.freepbx.org/browse/FREEPBX-18511


(Brandon Brown) #13

I might take a look tonight and see if I can tackle that open ticket


(Brandon Brown) #14

I opened a pull request that fixes the problem https://github.com/FreePBX/firewall/pull/2


(Brandon Brown) #15

@lgaetz I want to start running my modified version of the firewall module until my pull request gets merged and released. However I seem to be having difficulty getting it to run with a locally signed key, it just fails to start because the module signature is different and turning off signature checking didn’t help.

I am waiting for my gpg key to be added to the FreePBX trust web, but was looking for a work around until that is complete. The only way I can get the firewall to run with the modified code is to manually add the changes to the file while FreePBX is running but obviously this isn’t a good idea.

Do you have any suggestions or do I have to wait until it is released or my key is signed and added?


(Lorne Gaetz) #16

Unfortunately I do not, but perhaps @xrobau can provide a pointer as he is very familiar with both firewall and module signing.


(Rob Thomas) #17

Things that run as root have a second level of whitelisting. I saw your pull request and I’ll build you a package with your changes.


(Brandon Brown) #18

Awesome thank you!


(Rob Thomas) #19

I signed the module, and @BigB confirmed it worked - I’ll update phonebo.cx with the link, but here’s the updated module for those that are playing along at home.

https://cdn.phonebo.cx/modules/firewall/firewall-13.0.58.2.tar.gz

I do remember this ORIGINALLY being a design decision, as I was being (in retrospect) overly paranoid, but it seems unwarranted.


(Lorne Gaetz) #20

Quitting after test 1 with 100% success rate:

[root@vvs ~]# fwconsole firewall add trusted 1.2.3.4/32
Attempting to add '1.2.3.4/32' to Zone 'trusted' ... Success!

[root@vvs ~]# fwconsole firewall list trusted
All entries in zone 'trusted':
        1.2.3.4/32

[root@vvs ~]# iptables-save | grep 1.2.3.4
-A fpbxnets -s 1.2.3.4/32 -j zone-trusted

[root@vvs ~]# fwconsole firewall del trusted 1.2.3.4
Attempting to remove 1.2.3.4 from 'trusted' Zone ... Success!

[root@vvs ~]# fwconsole firewall list trusted
All entries in zone 'trusted':

[root@vvs ~]# iptables-save | grep 1.2.3.4
[root@vvs ~]#