Firewall continuously identifies trusted up addresses as attackers and blocks

moodinsk · October 25, 2022, 6:00pm

I suppose wherever marking a subnet as Trusted under Firewall - Networks and whether or not making fail2ban sync from those networks. I am assuming this:

Chain fpbxnets
.
.
30 zone-trusted all – 10.1.6.0/24

dicko · October 25, 2022, 6:06pm

Without knowing the full iptables rules, there is no way to know. But you are apparently not alone in having this problem, maybe file a bug report

ColoradoRuss · October 25, 2022, 10:53pm

Next time it gets wrapped around the axle, Ill run that. I bet something is updating / restarting that relies on timing from some script and looses track of its place in line.

dicko · October 25, 2022, 11:40pm

You should fo that before the problem

iptables -L -n --line-numbers > beforeproblem

then do it after

iptables -L -n --line-numbers > afterproblem

then postmortem, you can

diff beforeproblem afterproblem|less

. . . .

jlizzotte04 · October 26, 2022, 1:14pm

Just had an IP in the “TRUSTED Network” get blocked in the blocked hosts section of the firewall.

It’s my understanding that others have this issue. I noticed there was a tracker opened but it seems to point me in the direction of some github file. I have no problem trying that, but I am not familiar with how to pull or add git files to the PBX. Its similar to whats happening here

https://issues.freepbx.org/browse/FREEPBX-22170

ColoradoRuss · October 27, 2022, 3:05pm

dicko:

You should fo that before the problem
iptables -L -n --line-numbers > beforeproblem
then do it after
iptables -L -n --line-numbers > afterproblem
then postmortem, you can
diff beforeproblem afterproblem|less

It seems like iptables may be betting messed up. Reboot and it should temporarily fix it. When its up and running, do what dicko said immediately above and maybe someone will be able to identify where it is going wrong.

jlizzotte04 · October 27, 2022, 3:20pm

Just to make sure I understand, reboot the system. When is back up, run the first line. When it messes up, run the second line. then run the 3rd to find out whats different?

ColoradoRuss · October 27, 2022, 9:23pm

Yes. I am doing the same thing - waiting for it to start blocking again. Maybe someone who knows the back end will be able to figure out why these things are getting all messed up like this.

ColoradoRuss · November 3, 2022, 6:13pm

Here it is misbehaving again. Here is the diff. Is this useful?

33c33,51
< 1 RETURN all – 0.0.0.0/0 0.0.0.0/0

1 REJECT all – x 2 REJECT all – x 3 REJECT all – x 4 REJECT all – x 5 REJECT all – x 6 REJECT all – x 7 REJECT all – x 8 REJECT all – x 9 REJECT all – x 10 REJECT all – x 11 REJECT all – x 12 REJECT all – x 13 REJECT all – x 14 REJECT all – x 15 REJECT all – x 16 REJECT all – x 17 REJECT all – x 18 REJECT all – x 19 RETURN all – 0.0.0.0/0 127c145
< 2 zone-trusted all – x 0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0 reject-with icmp-port-unreachable
0.0.0.0/0
0.0.0.0/0

2 zone-trusted all – x 0.0.0.0/0
129c147
< 4 zone-trusted all – x 0.0.0.0/0

4 zone-trusted all – x 0.0.0.0/0
131c149
< 6 zone-trusted all – x 0.0.0.0/0

6 zone-trusted all – x 0.0.0.0/0
133,137c151,157
< 8 zone-trusted all – x 0.0.0.0/0
< 9 zone-trusted all – x 0.0.0.0/0
< 10 zone-trusted all – x 0.0.0.0/0
< 11 zone-trusted all – x 0.0.0.0/0
< 12 zone-trusted all – x 0.0.0.0/0

8 zone-trusted all – x 0.0.0.0/0
9 zone-trusted all – x 0.0.0.0/0
10 zone-trusted all – x 0.0.0.0/0
11 zone-trusted all – x 0.0.0.0/0
12 zone-trusted all – x 0.0.0.0/0
13 zone-trusted all – x 0.0.0.0/0
14 zone-trusted all – x 0.0.0.0/0
366c386
< Chain zone-trusted (13 references)

Chain zone-trusted (15 references)

david55 · November 3, 2022, 6:37pm

If posting logs, configurations, etc., inline, please mark them up as pre-formatted text, like this:

33c33,51
< 1    RETURN     all  --  0.0.0.0/0            0.0.0.0/0
---
> 1    REJECT     all  --  x       0.0.0.0/0            reject-with icmp-port-unreachable
> 2    REJECT     all  --  x       0.0.0.0/0            reject-with icmp-port-unreachable
> 3    REJECT     all  --  x       0.0.0.0/0            reject-with icmp-port-unreachable
> 4    REJECT     all  --  x       0.0.0.0/0            reject-with icmp-port-unreachable
> 5    REJECT     all  --  x       0.0.0.0/0            reject-with icmp-port-unreachable
> 6    REJECT     all  --  x        0.0.0.0/0            reject-with icmp-port-unreachable
> 7    REJECT     all  --  x          0.0.0.0/0            reject-with icmp-port-unreachable
> 8    REJECT     all  --  x       0.0.0.0/0            reject-with icmp-port-unreachable
> 9    REJECT     all  --  x        0.0.0.0/0            reject-with icmp-port-unreachable
> 10   REJECT     all  --  x        0.0.0.0/0            reject-with icmp-port-unreachable
> 11   REJECT     all  --  x       0.0.0.0/0            reject-with icmp-port-unreachable
> 12   REJECT     all  --  x        0.0.0.0/0            reject-with icmp-port-unreachable
> 13   REJECT     all  --  x        0.0.0.0/0            reject-with icmp-port-unreachable
> 14   REJECT     all  --  x       0.0.0.0/0            reject-with icmp-port-unreachable
> 15   REJECT     all  --  x       0.0.0.0/0            reject-with icmp-port-unreachable
> 16   REJECT     all  --  x          0.0.0.0/0            reject-with icmp-port-unreachable
> 17   REJECT     all  --  x        0.0.0.0/0            reject-with icmp-port-unreachable
> 18   REJECT     all  --  x        0.0.0.0/0            reject-with icmp-port-unreachable
> 19   RETURN     all  --  0.0.0.0/0            0.0.0.0/0
127c145
< 2    zone-trusted  all  --  x          0.0.0.0/0
---
> 2    zone-trusted  all  --  x         0.0.0.0/0
129c147
< 4    zone-trusted  all  --  x        0.0.0.0/0
---
> 4    zone-trusted  all  --  x          0.0.0.0/0
131c149
< 6    zone-trusted  all  --  x          0.0.0.0/0
---
> 6    zone-trusted  all  --  x        0.0.0.0/0
133,137c151,157
< 8    zone-trusted  all  --  x         0.0.0.0/0
< 9    zone-trusted  all  --  x       0.0.0.0/0
< 10   zone-trusted  all  --  x        0.0.0.0/0
< 11   zone-trusted  all  --  x         0.0.0.0/0
< 12   zone-trusted  all  --  x         0.0.0.0/0
---
> 8    zone-trusted  all  --  x          0.0.0.0/0
> 9    zone-trusted  all  --  x        0.0.0.0/0
> 10   zone-trusted  all  --  x        0.0.0.0/0
> 11   zone-trusted  all  --  x       0.0.0.0/0
> 12   zone-trusted  all  --  x       0.0.0.0/0
> 13   zone-trusted  all  --  x         0.0.0.0/0
> 14   zone-trusted  all  --  x         0.0.0.0/0
366c386
< Chain zone-trusted (13 references)
---
> Chain zone-trusted (15 references)

For others dealing with this problem, you can recover the raw markup by replacing the first and second URL path components by raw, e.g. https://community.freepbx.org/raw/85997/29

david55 · November 3, 2022, 6:40pm

This doesn’t look at all right. It has repeatedly added rules to reject everything, when it should be adding ones to reject specific addresses.

(I would though, also have wanted to see the table names, and probably the whole of the INPUT one.)

dicko · November 3, 2022, 7:36pm

Indeed it’s very screwy somehow , a diff without the originals makes it hard to diagnose, as the order of chains ALLOWING or DROPPING is imperative to know

ColoradoRuss · November 4, 2022, 10:38pm

I think this may be more helpful…

Initial configuration
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all – a.a.a.a 0.0.0.0/0
2 zone-trusted all – u.u.u.u 0.0.0.0/0
3 zone-trusted all – b.b.b.b 0.0.0.0/0
4 zone-trusted all – v.v.v.v 0.0.0.0/0
5 zone-trusted all – c.c.c.c 0.0.0.0/0
6 zone-trusted all – w.w.w.w 0.0.0.0/0
7 zone-trusted all – d.d.d.d 0.0.0.0/0
8 zone-trusted all – x.x.x.x 0.0.0.0/0
9 zone-trusted all – e.e.e.e 0.0.0.0/0
10 zone-trusted all – y.y.y.y 0.0.0.0/0
11 zone-trusted all – f.f.f.f 0.0.0.0/0
12 zone-trusted all – z.z.z.z 0.0.0.0/0

Malfunctioning:
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all – a.a.a.a 0.0.0.0/0
2 zone-trusted all – a.a.a.a 0.0.0.0/0
3 zone-trusted all – b.b.b.b 0.0.0.0/0
4 zone-trusted all – b.b.b.b 0.0.0.0/0
5 zone-trusted all – c.c.c.c 0.0.0.0/0
6 zone-trusted all – c.c.c.c 0.0.0.0/0
7 zone-trusted all – d.d.d.d 0.0.0.0/0
8 zone-trusted all – d.d.d.d 0.0.0.0/0
9 zone-trusted all – g.g.g.g(new) 0.0.0.0/0
10 zone-trusted all – g.g.g.g(new) 0.0.0.0/0
11 zone-trusted all – e.e.e.e 0.0.0.0/0
12 zone-trusted all – e.e.e.e 0.0.0.0/0
13 zone-trusted all – f.f.f.f 0.0.0.0/0
14 zone-trusted all – f.f.f.f 0.0.0.0/0

This is where all of my Trusted Zones are whitelisted. When I started, all were there as would be expected. When it started blocking my phones, you will see that it duplicates every other one twice (a,b,c,d,e,f) and omits every other one (u,v,w,x,y,z). G was added between the two iptables dumps. a,b,c,d,e,f,u,v,w,x,y,z where there start to finish without being messed with. It seems that for whatever reason when it deleted or overwrote u,v,w,x,y,z it started blocking those phones.

I can upload the whole things but between the two of them, its 3-400 lines.

ColoradoRuss · November 11, 2022, 8:50pm

Just want to shoot this out again. It seems the info below is where the iptables is getting messed up. Any suggestions?

I think this may be more helpful…

Initial configuration
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all – a.a.a.a 0.0.0.0/0
2 zone-trusted all – u.u.u.u 0.0.0.0/0
3 zone-trusted all – b.b.b.b 0.0.0.0/0
4 zone-trusted all – v.v.v.v 0.0.0.0/0
5 zone-trusted all – c.c.c.c 0.0.0.0/0
6 zone-trusted all – w.w.w.w 0.0.0.0/0
7 zone-trusted all – d.d.d.d 0.0.0.0/0
8 zone-trusted all – x.x.x.x 0.0.0.0/0
9 zone-trusted all – e.e.e.e 0.0.0.0/0
10 zone-trusted all – y.y.y.y 0.0.0.0/0
11 zone-trusted all – f.f.f.f 0.0.0.0/0
12 zone-trusted all – z.z.z.z 0.0.0.0/0

Malfunctioning:
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all – a.a.a.a 0.0.0.0/0
2 zone-trusted all – a.a.a.a 0.0.0.0/0
3 zone-trusted all – b.b.b.b 0.0.0.0/0
4 zone-trusted all – b.b.b.b 0.0.0.0/0
5 zone-trusted all – c.c.c.c 0.0.0.0/0
6 zone-trusted all – c.c.c.c 0.0.0.0/0
7 zone-trusted all – d.d.d.d 0.0.0.0/0
8 zone-trusted all – d.d.d.d 0.0.0.0/0
9 zone-trusted all – g.g.g.g(new) 0.0.0.0/0
10 zone-trusted all – g.g.g.g(new) 0.0.0.0/0
11 zone-trusted all – e.e.e.e 0.0.0.0/0
12 zone-trusted all – e.e.e.e 0.0.0.0/0
13 zone-trusted all – f.f.f.f 0.0.0.0/0
14 zone-trusted all – f.f.f.f 0.0.0.0/0

This is where all of my Trusted Zones are whitelisted. When I started, all were there as would be expected. When it started blocking my phones, you will see that it duplicates every other one twice (a,b,c,d,e,f) and omits every other one (u,v,w,x,y,z). G was added between the two iptables dumps. a,b,c,d,e,f,u,v,w,x,y,z where there start to finish without being messed with. It seems that for whatever reason when it deleted or overwrote u,v,w,x,y,z it started blocking those phones.

I can upload the whole things but between the two of them, its 3-400 lines.

dicko · November 11, 2022, 8:59pm

I suspect you have a rule in iptables PREVIOUS to these which is ‘blocking’ (possible F2B)

iptables -L|grep ^Chain

ColoradoRuss · November 11, 2022, 10:24pm

before:

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-PBX-GUI all – 0.0.0.0/0 0.0.0.0/0
2 fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
3 fail2ban-apache-auth all – 0.0.0.0/0 0.0.0.0/0
4 fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 21
5 fail2ban-BadBots tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
6 fail2ban-api tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
7 fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0
8 fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
9 fpbxfirewall all – 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain fail2ban-BadBots (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-FTP (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-PBX-GUI (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SIP (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-apache-auth (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-api (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-recidive (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fpbx-rtp (1 references)
num target prot opt source destination
1 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
2 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpts:4000:4999

Chain fpbxattacker (6 references)
num target prot opt source destination
1 all – 0.0.0.0/0 0.0.0.0/0 recent: SET name: ATTACKER side: source mask: 255.255.255.255
2 DROP all – 0.0.0.0/0 0.0.0.0/0

Chain fpbxblacklist (1 references)
num target prot opt source destination
1 REJECT all – 109.236.88.47 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all – 163.172.199.135 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all – 185.53.88.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all – 46.166.151.168 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all – 77.234.46.254 0.0.0.0/0 reject-with icmp-port-unreachable

Chain fpbxchecktempwhitelist (1 references)
num target prot opt source destination
1 fpbxtempwhitelist all – 0.0.0.0/0 0.0.0.0/0 ! recent: CHECK name: REPEAT side: source mask: 255.255.255.255

Chain fpbxfirewall (1 references)
num target prot opt source destination
1 ACCEPT all – 0.0.0.0/0 0.0.0.0/0
2 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 connmark match ! 0x20 state RELATED,ESTABLISHED
3 ACCEPT icmp – 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all – 0.0.0.0/0 255.255.255.255
5 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
6 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
7 fpbx-rtp all – 0.0.0.0/0 0.0.0.0/0
8 fpbxblacklist all – 0.0.0.0/0 0.0.0.0/0
9 fpbxsignalling all – 0.0.0.0/0 0.0.0.0/0
10 fpbxsmarthosts all – 0.0.0.0/0 0.0.0.0/0
11 fpbxregistrations all – 0.0.0.0/0 0.0.0.0/0
12 fpbxnets all – 0.0.0.0/0 0.0.0.0/0
13 fpbxhosts all – 0.0.0.0/0 0.0.0.0/0
14 fpbxinterfaces all – 0.0.0.0/0 0.0.0.0/0
15 fpbxreject all – 0.0.0.0/0 0.0.0.0/0
16 fpbxrfw all – 0.0.0.0/0 0.0.0.0/0 mark match 0x2/0x2
17 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
18 lefilter tcp – 0.0.0.0/0 0.0.0.0/0 match-set lefilter dst
19 fpbxlogdrop all – 0.0.0.0/0 0.0.0.0/0

Chain fpbxhosts (1 references)
num target prot opt source destination
1 zone-trusted all – 127.0.0.1 0.0.0.0/0

Chain fpbxinterfaces (1 references)
num target prot opt source destination
1 zone-external all – 0.0.0.0/0 0.0.0.0/0

Chain fpbxknownreg (0 references)
num target prot opt source destination
1 all – 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: REPEAT side: source mask: 255.255.255.255
2 all – 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: ATTACKER side: source mask: 255.255.255.255
3 all – 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
4 all – 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: WHITELIST side: source mask: 255.255.255.255
5 MARK all – 0.0.0.0/0 0.0.0.0/0 MARK or 0x4
6 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0x1
7 fpbxsvc-ucp all – 0.0.0.0/0 0.0.0.0/0
8 fpbxsvc-zulu all – 0.0.0.0/0 0.0.0.0/0
9 fpbxsvc-restapps all – 0.0.0.0/0 0.0.0.0/0
10 fpbxsvc-restapps_ssl all – 0.0.0.0/0 0.0.0.0/0
11 fpbxsvc-provis all – 0.0.0.0/0 0.0.0.0/0
12 fpbxsvc-provis_ssl all – 0.0.0.0/0 0.0.0.0/0
13 fpbxsvc-api all – 0.0.0.0/0 0.0.0.0/0
14 fpbxsvc-api_ssl all – 0.0.0.0/0 0.0.0.0/0

Chain fpbxlogdrop (1 references)
num target prot opt source destination
1 DROP all – 0.0.0.0/0 0.0.0.0/0

Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all – x.x.1.16 0.0.0.0/0
2 zone-trusted all – x.x.2.1 0.0.0.0/0
3 zone-trusted all – x.x.197.2 0.0.0.0/0
4 zone-trusted all – x.x.2.149 0.0.0.0/0
5 zone-trusted all – x.x.2.128 0.0.0.0/0
6 zone-trusted all – x.x.248.73 0.0.0.0/0
7 zone-trusted all – x.x.2.222 0.0.0.0/0
8 zone-trusted all – x.x.15.223 0.0.0.0/0
9 zone-trusted all – x.x.2.0/24 0.0.0.0/0
10 zone-trusted all – x.x.17.0/24 0.0.0.0/0
11 zone-trusted all – x.x.0.0/24 0.0.0.0/0
12 zone-trusted all – x.x.3.0/24 0.0.0.0/0

Chain fpbxratelimit (1 references)
num target prot opt source destination
1 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 mark match 0x4/0x4
2 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
3 all – 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: REPEAT side: source mask: 255.255.255.255
4 all – 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: DISCOVERED side: source mask: 255.255.255.255
5 LOG all – 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
6 fpbxattacker all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
7 fpbxattacker all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 200 name: REPEAT side: source mask: 255.255.255.255
8 fpbxattacker all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 300 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
9 fpbxshortblock all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
10 ACCEPT all – 0.0.0.0/0 0.0.0.0/0

Chain fpbxregistrations (1 references)
num target prot opt source destination

Chain fpbxreject (1 references)
num target prot opt source destination
1 rejsvc-nfs all – 0.0.0.0/0 0.0.0.0/0
2 rejsvc-smb all – 0.0.0.0/0 0.0.0.0/0

Chain fpbxrfw (1 references)
num target prot opt source destination
1 all – 0.0.0.0/0 0.0.0.0/0 recent: SET name: DISCOVERED side: source mask: 255.255.255.255
2 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
3 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: TEMPWHITELIST side: source mask: 255.255.255.255
4 fpbxchecktempwhitelist all – 0.0.0.0/0 0.0.0.0/0 ! recent: CHECK seconds: 86400 name: TEMPWHITELIST side: source mask: 255.255.255.255
5 all – 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
6 all – 0.0.0.0/0 0.0.0.0/0 recent: SET name: REPEAT side: source mask: 255.255.255.255
7 fpbxattacker all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 10 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
8 fpbxattacker all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
9 fpbxshortblock all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 10 name: SIGNALLING side: source mask: 255.255.255.255
10 all – 0.0.0.0/0 0.0.0.0/0 recent: SET name: SIGNALLING side: source mask: 255.255.255.255
11 fpbxattacker all – 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
12 ACCEPT all – 0.0.0.0/0 0.0.0.0/0

Chain fpbxshortblock (2 references)
num target prot opt source destination
1 all – 0.0.0.0/0 0.0.0.0/0 recent: SET name: CLAMPED side: source mask: 255.255.255.255
2 REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain fpbxsignalling (1 references)
num target prot opt source destination
1 MARK udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 MARK set 0x3

Chain fpbxsmarthosts (1 references)
num target prot opt source destination
1 ACCEPT all – x.x.60.2 0.0.0.0/0 mark match 0x1/0x1
2 ACCEPT all – x.x.60.0 0.0.0.0/0 mark match 0x1/0x1
3 ACCEPT all – x.x.60.1 0.0.0.0/0 mark match 0x1/0x1
4 ACCEPT all – x.x.60.3 0.0.0.0/0 mark match 0x1/0x1
5 ACCEPT all – x.x.51.2 0.0.0.0/0 mark match 0x1/0x1
6 ACCEPT all – x.x.51.0 0.0.0.0/0 mark match 0x1/0x1
7 ACCEPT all – x.x.51.1 0.0.0.0/0 mark match 0x1/0x1
8 ACCEPT all – x.x.51.3 0.0.0.0/0 mark match 0x1/0x1

Chain fpbxsvc-api (2 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:83

Chain fpbxsvc-api_ssl (2 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:2443

Chain fpbxsvc-chansip (1 references)
num target prot opt source destination

Chain fpbxsvc-ftp (1 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:21

Chain fpbxsvc-http (1 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

Chain fpbxsvc-https (1 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:443

Chain fpbxsvc-iax (1 references)
num target prot opt source destination
1 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:4569

Chain fpbxsvc-isymphony (0 references)
num target prot opt source destination

Chain fpbxsvc-letsencrypt (0 references)
num target prot opt source destination

Chain fpbxsvc-nfs (0 references)
num target prot opt source destination
1 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:2049
2 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049
3 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:892
4 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:662
5 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:32769
6 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:892
7 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:662
8 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:32803

Chain fpbxsvc-ntp (1 references)
num target prot opt source destination
1 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:123

Chain fpbxsvc-pjsip (1 references)
num target prot opt source destination
1 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060

Chain fpbxsvc-provis (3 references)
num target prot opt source destination
1 fpbxratelimit tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:84

Chain fpbxsvc-provis_ssl (3 references)
num target prot opt source destination

Chain fpbxsvc-restapps (2 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:82

Chain fpbxsvc-restapps_ssl (2 references)
num target prot opt source destination

Chain fpbxsvc-smb (0 references)
num target prot opt source destination

Chain fpbxsvc-sng_phone_svc (3 references)
num target prot opt source destination

Chain fpbxsvc-ssh (1 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Chain fpbxsvc-tftp (1 references)
num target prot opt source destination
1 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:69

Chain fpbxsvc-ucp (1 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
2 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:8001

Chain fpbxsvc-ucp_ssl (2 references)
num target prot opt source destination

Chain fpbxsvc-vpn (3 references)
num target prot opt source destination
1 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:1194

Chain fpbxsvc-webrtc (1 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088
2 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089

Chain fpbxsvc-xmpp (3 references)
num target prot opt source destination
1 ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222

Chain fpbxsvc-zulu (1 references)
num target prot opt source destination

Chain fpbxtempwhitelist (1 references)
num target prot opt source destination
1 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 recent: SET name: TEMPWHITELIST side: source mask: 255.255.255.255

Chain lefilter (1 references)
num target prot opt source destination
1 CONNMARK all – 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x20
2 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 state NEW
3 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 STRING match “GET /.well-known/acme-challenge/” ALGO name kmp FROM 52 TO 53
4 ACCEPT all – 0.0.0.0/0 0.0.0.0/0 STRING match “GET /.freepbx-known/” ALGO name kmp FROM 52 TO 53
5 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain rejsvc-nfs (1 references)
num target prot opt source destination
1 REJECT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable
2 REJECT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 reject-with icmp-port-unreachable
3 REJECT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:892 reject-with icmp-port-unreachable
4 REJECT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:662 reject-with icmp-port-unreachable
5 REJECT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:32769 reject-with icmp-port-unreachable
6 REJECT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:892 reject-with icmp-port-unreachable
7 REJECT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:662 reject-with icmp-port-unreachable
8 REJECT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:32803 reject-with icmp-port-unreachable

Chain rejsvc-smb (1 references)
num target prot opt source destination

Chain zone-external (1 references)
num target prot opt source destination
1 MARK all – 0.0.0.0/0 0.0.0.0/0 MARK or 0x10
2 fpbxsvc-sng_phone_svc all – 0.0.0.0/0 0.0.0.0/0
3 fpbxsvc-vpn all – 0.0.0.0/0 0.0.0.0/0
4 fpbxsvc-xmpp all – 0.0.0.0/0 0.0.0.0/0

Chain zone-internal (0 references)
num target prot opt source destination
1 MARK all – 0.0.0.0/0 0.0.0.0/0 MARK or 0x4
2 fpbxsvc-ssh all – 0.0.0.0/0 0.0.0.0/0
3 fpbxsvc-http all – 0.0.0.0/0 0.0.0.0/0
4 fpbxsvc-https all – 0.0.0.0/0 0.0.0.0/0
5 fpbxsvc-ucp_ssl all – 0.0.0.0/0 0.0.0.0/0
6 fpbxsvc-pjsip all – 0.0.0.0/0 0.0.0.0/0
7 fpbxsvc-chansip all – 0.0.0.0/0 0.0.0.0/0
8 fpbxsvc-iax all – 0.0.0.0/0 0.0.0.0/0
9 fpbxsvc-webrtc all – 0.0.0.0/0 0.0.0.0/0
10 fpbxsvc-api all – 0.0.0.0/0 0.0.0.0/0
11 fpbxsvc-api_ssl all – 0.0.0.0/0 0.0.0.0/0
12 fpbxsvc-ntp all – 0.0.0.0/0 0.0.0.0/0
13 fpbxsvc-sng_phone_svc all – 0.0.0.0/0 0.0.0.0/0
14 fpbxsvc-provis all – 0.0.0.0/0 0.0.0.0/0
15 fpbxsvc-provis_ssl all – 0.0.0.0/0 0.0.0.0/0
16 fpbxsvc-vpn all – 0.0.0.0/0 0.0.0.0/0
17 fpbxsvc-restapps all – 0.0.0.0/0 0.0.0.0/0
18 fpbxsvc-restapps_ssl all – 0.0.0.0/0 0.0.0.0/0
19 fpbxsvc-xmpp all – 0.0.0.0/0 0.0.0.0/0
20 fpbxsvc-ftp all – 0.0.0.0/0 0.0.0.0/0
21 fpbxsvc-tftp all – 0.0.0.0/0 0.0.0.0/0

Chain zone-other (0 references)
num target prot opt source destination
1 MARK all – 0.0.0.0/0 0.0.0.0/0 MARK or 0x8
2 fpbxsvc-ucp_ssl all – 0.0.0.0/0 0.0.0.0/0
3 fpbxsvc-sng_phone_svc all – 0.0.0.0/0 0.0.0.0/0
4 fpbxsvc-provis all – 0.0.0.0/0 0.0.0.0/0
5 fpbxsvc-provis_ssl all – 0.0.0.0/0 0.0.0.0/0
6 fpbxsvc-vpn all – 0.0.0.0/0 0.0.0.0/0
7 fpbxsvc-xmpp all – 0.0.0.0/0 0.0.0.0/0

Chain zone-trusted (13 references)
num target prot opt source destination
1 ACCEPT all – 0.0.0.0/0 0.0.0.0/0

ColoradoRuss · November 11, 2022, 10:30pm

after:

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-PBX-GUI all – 0.0.0.0/0 0.0.0.0/0
2 fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
3 fail2ban-apache-auth all – 0.0.0.0/0 0.0.0.0/0
4 fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 21
5 fail2ban-BadBots tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
6 fail2ban-api tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
7 fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0
8 fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
9 fpbxfirewall all – 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain fail2ban-BadBots (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-FTP (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-PBX-GUI (1 references)
num target prot opt source destination
1 RETURN all – 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SIP (1 references)
num target prot opt source destination
1 REJECT all – 128.90.176.214 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all – 128.90.176.114 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all – 43.251.164.226 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all – 128.90.138.191 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all – 128.90.101.107 0.0.0.0/0 reject-with icmp-port-unreachable
6 REJECT all – 128.90.62.214 0.0.0.0/0 reject-with icmp-port-unreachable
7 REJECT all – 192.64.4.24 0.0.0.0/0 reject-with icmp-port-unreachable
8 REJECT all – 128.90.174.123 0.0.0.0/0 reject-with icmp-port-unreachable
9 REJECT all – 69.167.40.126 0.0.0.0/0 reject-with icmp-port-unreachable
10 REJECT all – 128.90.129.56 0.0.0.0/0 reject-with icmp-port-unreachable
11 REJECT all – 128.90.169.191 0.0.0.0/0 reject-with icmp-port-unreachable
12 REJECT all – 128.90.172.40 0.0.0.0/0 reject-with icmp-port-unreachable
13 REJECT all – 128.90.61.122 0.0.0.0/0 reject-with icmp-port-unreachable
14 REJECT all – 128.90.175.134 0.0.0.0/0 reject-with icmp-port-unreachable
15 REJECT all – 128.90.173.180 0.0.0.0/0 reject-with icmp-port-unreachable
16 REJECT all – 31.6.58.133 0.0.0.0/0 reject-with icmp-port-unreachable
17 REJECT all – 103.27.220.68 0.0.0.0/0 reject-with icmp-port-unreachable
18 REJECT all – 128.90.171.71 0.0.0.0/0 reject-with icmp-port-unreachable
19 RETURN all – 0.0.0.0/0 0.0.0.0/0