I suppose wherever marking a subnet as Trusted under Firewall - Networks and whether or not making fail2ban sync from those networks. I am assuming this:
Chain fpbxnets
.
.
30 zone-trusted all β 10.1.6.0/24
I suppose wherever marking a subnet as Trusted under Firewall - Networks and whether or not making fail2ban sync from those networks. I am assuming this:
Chain fpbxnets
.
.
30 zone-trusted all β 10.1.6.0/24
Without knowing the full iptables rules, there is no way to know. But you are apparently not alone in having this problem, maybe file a bug report
Next time it gets wrapped around the axle, Ill run that. I bet something is updating / restarting that relies on timing from some script and looses track of its place in line.
You should fo that before the problem
iptables -L -n --line-numbers > beforeproblem
then do it after
iptables -L -n --line-numbers > afterproblem
then postmortem, you can
diff beforeproblem afterproblem|less
. . . .
Just had an IP in the βTRUSTED Networkβ get blocked in the blocked hosts section of the firewall.
Itβs my understanding that others have this issue. I noticed there was a tracker opened but it seems to point me in the direction of some github file. I have no problem trying that, but I am not familiar with how to pull or add git files to the PBX. Its similar to whats happening here
It seems like iptables may be betting messed up. Reboot and it should temporarily fix it. When its up and running, do what dicko said immediately above and maybe someone will be able to identify where it is going wrong.
Just to make sure I understand, reboot the system. When is back up, run the first line. When it messes up, run the second line. then run the 3rd to find out whats different?
Yes. I am doing the same thing - waiting for it to start blocking again. Maybe someone who knows the back end will be able to figure out why these things are getting all messed up like this.
Here it is misbehaving again. Here is the diff. Is this useful?
1 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
6 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
7 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
8 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
9 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
10 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
11 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
12 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
13 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
14 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
15 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
16 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
17 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
18 REJECT all β x 0.0.0.0/0 reject-with icmp-port-unreachable
19 RETURN all β 0.0.0.0/0 0.0.0.0/0
127c145
< 2 zone-trusted all β x 0.0.0.0/0
2 zone-trusted all β x 0.0.0.0/0
129c147
< 4 zone-trusted all β x 0.0.0.0/0
4 zone-trusted all β x 0.0.0.0/0
131c149
< 6 zone-trusted all β x 0.0.0.0/0
6 zone-trusted all β x 0.0.0.0/0
133,137c151,157
< 8 zone-trusted all β x 0.0.0.0/0
< 9 zone-trusted all β x 0.0.0.0/0
< 10 zone-trusted all β x 0.0.0.0/0
< 11 zone-trusted all β x 0.0.0.0/0
< 12 zone-trusted all β x 0.0.0.0/0
8 zone-trusted all β x 0.0.0.0/0
9 zone-trusted all β x 0.0.0.0/0
10 zone-trusted all β x 0.0.0.0/0
11 zone-trusted all β x 0.0.0.0/0
12 zone-trusted all β x 0.0.0.0/0
13 zone-trusted all β x 0.0.0.0/0
14 zone-trusted all β x 0.0.0.0/0
366c386
< Chain zone-trusted (13 references)
Chain zone-trusted (15 references)
If posting logs, configurations, etc., inline, please mark them up as pre-formatted text, like this:
33c33,51
< 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0
---
> 1 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 2 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 3 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 4 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 5 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 6 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 7 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 8 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 9 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 10 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 11 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 12 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 13 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 14 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 15 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 16 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 17 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 18 REJECT all -- x 0.0.0.0/0 reject-with icmp-port-unreachable
> 19 RETURN all -- 0.0.0.0/0 0.0.0.0/0
127c145
< 2 zone-trusted all -- x 0.0.0.0/0
---
> 2 zone-trusted all -- x 0.0.0.0/0
129c147
< 4 zone-trusted all -- x 0.0.0.0/0
---
> 4 zone-trusted all -- x 0.0.0.0/0
131c149
< 6 zone-trusted all -- x 0.0.0.0/0
---
> 6 zone-trusted all -- x 0.0.0.0/0
133,137c151,157
< 8 zone-trusted all -- x 0.0.0.0/0
< 9 zone-trusted all -- x 0.0.0.0/0
< 10 zone-trusted all -- x 0.0.0.0/0
< 11 zone-trusted all -- x 0.0.0.0/0
< 12 zone-trusted all -- x 0.0.0.0/0
---
> 8 zone-trusted all -- x 0.0.0.0/0
> 9 zone-trusted all -- x 0.0.0.0/0
> 10 zone-trusted all -- x 0.0.0.0/0
> 11 zone-trusted all -- x 0.0.0.0/0
> 12 zone-trusted all -- x 0.0.0.0/0
> 13 zone-trusted all -- x 0.0.0.0/0
> 14 zone-trusted all -- x 0.0.0.0/0
366c386
< Chain zone-trusted (13 references)
---
> Chain zone-trusted (15 references)
For others dealing with this problem, you can recover the raw markup by replacing the first and second URL path components by raw, e.g. https://community.freepbx.org/raw/85997/29
This doesnβt look at all right. It has repeatedly added rules to reject everything, when it should be adding ones to reject specific addresses.
(I would though, also have wanted to see the table names, and probably the whole of the INPUT one.)
Indeed itβs very screwy somehow , a diff without the originals makes it hard to diagnose, as the order of chains ALLOWING or DROPPING is imperative to know
I think this may be more helpfulβ¦
Initial configuration
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all β a.a.a.a 0.0.0.0/0
2 zone-trusted all β u.u.u.u 0.0.0.0/0
3 zone-trusted all β b.b.b.b 0.0.0.0/0
4 zone-trusted all β v.v.v.v 0.0.0.0/0
5 zone-trusted all β c.c.c.c 0.0.0.0/0
6 zone-trusted all β w.w.w.w 0.0.0.0/0
7 zone-trusted all β d.d.d.d 0.0.0.0/0
8 zone-trusted all β x.x.x.x 0.0.0.0/0
9 zone-trusted all β e.e.e.e 0.0.0.0/0
10 zone-trusted all β y.y.y.y 0.0.0.0/0
11 zone-trusted all β f.f.f.f 0.0.0.0/0
12 zone-trusted all β z.z.z.z 0.0.0.0/0
Malfunctioning:
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all β a.a.a.a 0.0.0.0/0
2 zone-trusted all β a.a.a.a 0.0.0.0/0
3 zone-trusted all β b.b.b.b 0.0.0.0/0
4 zone-trusted all β b.b.b.b 0.0.0.0/0
5 zone-trusted all β c.c.c.c 0.0.0.0/0
6 zone-trusted all β c.c.c.c 0.0.0.0/0
7 zone-trusted all β d.d.d.d 0.0.0.0/0
8 zone-trusted all β d.d.d.d 0.0.0.0/0
9 zone-trusted all β g.g.g.g(new) 0.0.0.0/0
10 zone-trusted all β g.g.g.g(new) 0.0.0.0/0
11 zone-trusted all β e.e.e.e 0.0.0.0/0
12 zone-trusted all β e.e.e.e 0.0.0.0/0
13 zone-trusted all β f.f.f.f 0.0.0.0/0
14 zone-trusted all β f.f.f.f 0.0.0.0/0
This is where all of my Trusted Zones are whitelisted. When I started, all were there as would be expected. When it started blocking my phones, you will see that it duplicates every other one twice (a,b,c,d,e,f) and omits every other one (u,v,w,x,y,z). G was added between the two iptables dumps. a,b,c,d,e,f,u,v,w,x,y,z where there start to finish without being messed with. It seems that for whatever reason when it deleted or overwrote u,v,w,x,y,z it started blocking those phones.
I can upload the whole things but between the two of them, its 3-400 lines.
Just want to shoot this out again. It seems the info below is where the iptables is getting messed up. Any suggestions?
I think this may be more helpfulβ¦
Initial configuration
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all β a.a.a.a 0.0.0.0/0
2 zone-trusted all β u.u.u.u 0.0.0.0/0
3 zone-trusted all β b.b.b.b 0.0.0.0/0
4 zone-trusted all β v.v.v.v 0.0.0.0/0
5 zone-trusted all β c.c.c.c 0.0.0.0/0
6 zone-trusted all β w.w.w.w 0.0.0.0/0
7 zone-trusted all β d.d.d.d 0.0.0.0/0
8 zone-trusted all β x.x.x.x 0.0.0.0/0
9 zone-trusted all β e.e.e.e 0.0.0.0/0
10 zone-trusted all β y.y.y.y 0.0.0.0/0
11 zone-trusted all β f.f.f.f 0.0.0.0/0
12 zone-trusted all β z.z.z.z 0.0.0.0/0
Malfunctioning:
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all β a.a.a.a 0.0.0.0/0
2 zone-trusted all β a.a.a.a 0.0.0.0/0
3 zone-trusted all β b.b.b.b 0.0.0.0/0
4 zone-trusted all β b.b.b.b 0.0.0.0/0
5 zone-trusted all β c.c.c.c 0.0.0.0/0
6 zone-trusted all β c.c.c.c 0.0.0.0/0
7 zone-trusted all β d.d.d.d 0.0.0.0/0
8 zone-trusted all β d.d.d.d 0.0.0.0/0
9 zone-trusted all β g.g.g.g(new) 0.0.0.0/0
10 zone-trusted all β g.g.g.g(new) 0.0.0.0/0
11 zone-trusted all β e.e.e.e 0.0.0.0/0
12 zone-trusted all β e.e.e.e 0.0.0.0/0
13 zone-trusted all β f.f.f.f 0.0.0.0/0
14 zone-trusted all β f.f.f.f 0.0.0.0/0
This is where all of my Trusted Zones are whitelisted. When I started, all were there as would be expected. When it started blocking my phones, you will see that it duplicates every other one twice (a,b,c,d,e,f) and omits every other one (u,v,w,x,y,z). G was added between the two iptables dumps. a,b,c,d,e,f,u,v,w,x,y,z where there start to finish without being messed with. It seems that for whatever reason when it deleted or overwrote u,v,w,x,y,z it started blocking those phones.
I can upload the whole things but between the two of them, its 3-400 lines.
I suspect you have a rule in iptables PREVIOUS to these which is βblockingβ (possible F2B)
iptables -L|grep ^Chain
before:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-PBX-GUI all β 0.0.0.0/0 0.0.0.0/0
2 fail2ban-SSH tcp β 0.0.0.0/0 0.0.0.0/0 multiport dports 22
3 fail2ban-apache-auth all β 0.0.0.0/0 0.0.0.0/0
4 fail2ban-FTP tcp β 0.0.0.0/0 0.0.0.0/0 multiport dports 21
5 fail2ban-BadBots tcp β 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
6 fail2ban-api tcp β 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
7 fail2ban-recidive all β 0.0.0.0/0 0.0.0.0/0
8 fail2ban-SIP all β 0.0.0.0/0 0.0.0.0/0
9 fpbxfirewall all β 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain fail2ban-BadBots (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-FTP (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-PBX-GUI (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SIP (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-auth (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-api (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-recidive (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fpbx-rtp (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
2 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpts:4000:4999
Chain fpbxattacker (6 references)
num target prot opt source destination
1 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: ATTACKER side: source mask: 255.255.255.255
2 DROP all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxblacklist (1 references)
num target prot opt source destination
1 REJECT all β 109.236.88.47 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all β 163.172.199.135 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all β 185.53.88.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all β 46.166.151.168 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all β 77.234.46.254 0.0.0.0/0 reject-with icmp-port-unreachable
Chain fpbxchecktempwhitelist (1 references)
num target prot opt source destination
1 fpbxtempwhitelist all β 0.0.0.0/0 0.0.0.0/0 ! recent: CHECK name: REPEAT side: source mask: 255.255.255.255
Chain fpbxfirewall (1 references)
num target prot opt source destination
1 ACCEPT all β 0.0.0.0/0 0.0.0.0/0
2 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 connmark match ! 0x20 state RELATED,ESTABLISHED
3 ACCEPT icmp β 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all β 0.0.0.0/0 255.255.255.255
5 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
6 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
7 fpbx-rtp all β 0.0.0.0/0 0.0.0.0/0
8 fpbxblacklist all β 0.0.0.0/0 0.0.0.0/0
9 fpbxsignalling all β 0.0.0.0/0 0.0.0.0/0
10 fpbxsmarthosts all β 0.0.0.0/0 0.0.0.0/0
11 fpbxregistrations all β 0.0.0.0/0 0.0.0.0/0
12 fpbxnets all β 0.0.0.0/0 0.0.0.0/0
13 fpbxhosts all β 0.0.0.0/0 0.0.0.0/0
14 fpbxinterfaces all β 0.0.0.0/0 0.0.0.0/0
15 fpbxreject all β 0.0.0.0/0 0.0.0.0/0
16 fpbxrfw all β 0.0.0.0/0 0.0.0.0/0 mark match 0x2/0x2
17 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
18 lefilter tcp β 0.0.0.0/0 0.0.0.0/0 match-set lefilter dst
19 fpbxlogdrop all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxhosts (1 references)
num target prot opt source destination
1 zone-trusted all β 127.0.0.1 0.0.0.0/0
Chain fpbxinterfaces (1 references)
num target prot opt source destination
1 zone-external all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxknownreg (0 references)
num target prot opt source destination
1 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: REPEAT side: source mask: 255.255.255.255
2 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: ATTACKER side: source mask: 255.255.255.255
3 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
4 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: WHITELIST side: source mask: 255.255.255.255
5 MARK all β 0.0.0.0/0 0.0.0.0/0 MARK or 0x4
6 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0x1
7 fpbxsvc-ucp all β 0.0.0.0/0 0.0.0.0/0
8 fpbxsvc-zulu all β 0.0.0.0/0 0.0.0.0/0
9 fpbxsvc-restapps all β 0.0.0.0/0 0.0.0.0/0
10 fpbxsvc-restapps_ssl all β 0.0.0.0/0 0.0.0.0/0
11 fpbxsvc-provis all β 0.0.0.0/0 0.0.0.0/0
12 fpbxsvc-provis_ssl all β 0.0.0.0/0 0.0.0.0/0
13 fpbxsvc-api all β 0.0.0.0/0 0.0.0.0/0
14 fpbxsvc-api_ssl all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxlogdrop (1 references)
num target prot opt source destination
1 DROP all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all β x.x.1.16 0.0.0.0/0
2 zone-trusted all β x.x.2.1 0.0.0.0/0
3 zone-trusted all β x.x.197.2 0.0.0.0/0
4 zone-trusted all β x.x.2.149 0.0.0.0/0
5 zone-trusted all β x.x.2.128 0.0.0.0/0
6 zone-trusted all β x.x.248.73 0.0.0.0/0
7 zone-trusted all β x.x.2.222 0.0.0.0/0
8 zone-trusted all β x.x.15.223 0.0.0.0/0
9 zone-trusted all β x.x.2.0/24 0.0.0.0/0
10 zone-trusted all β x.x.17.0/24 0.0.0.0/0
11 zone-trusted all β x.x.0.0/24 0.0.0.0/0
12 zone-trusted all β x.x.3.0/24 0.0.0.0/0
Chain fpbxratelimit (1 references)
num target prot opt source destination
1 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 mark match 0x4/0x4
2 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
3 all β 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: REPEAT side: source mask: 255.255.255.255
4 all β 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: DISCOVERED side: source mask: 255.255.255.255
5 LOG all β 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
6 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
7 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 200 name: REPEAT side: source mask: 255.255.255.255
8 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 300 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
9 fpbxshortblock all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
10 ACCEPT all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxregistrations (1 references)
num target prot opt source destination
Chain fpbxreject (1 references)
num target prot opt source destination
1 rejsvc-nfs all β 0.0.0.0/0 0.0.0.0/0
2 rejsvc-smb all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxrfw (1 references)
num target prot opt source destination
1 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: DISCOVERED side: source mask: 255.255.255.255
2 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
3 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: TEMPWHITELIST side: source mask: 255.255.255.255
4 fpbxchecktempwhitelist all β 0.0.0.0/0 0.0.0.0/0 ! recent: CHECK seconds: 86400 name: TEMPWHITELIST side: source mask: 255.255.255.255
5 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
6 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: REPEAT side: source mask: 255.255.255.255
7 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 10 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
8 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
9 fpbxshortblock all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 10 name: SIGNALLING side: source mask: 255.255.255.255
10 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: SIGNALLING side: source mask: 255.255.255.255
11 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
12 ACCEPT all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxshortblock (2 references)
num target prot opt source destination
1 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: CLAMPED side: source mask: 255.255.255.255
2 REJECT all β 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain fpbxsignalling (1 references)
num target prot opt source destination
1 MARK udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 MARK set 0x3
Chain fpbxsmarthosts (1 references)
num target prot opt source destination
1 ACCEPT all β x.x.60.2 0.0.0.0/0 mark match 0x1/0x1
2 ACCEPT all β x.x.60.0 0.0.0.0/0 mark match 0x1/0x1
3 ACCEPT all β x.x.60.1 0.0.0.0/0 mark match 0x1/0x1
4 ACCEPT all β x.x.60.3 0.0.0.0/0 mark match 0x1/0x1
5 ACCEPT all β x.x.51.2 0.0.0.0/0 mark match 0x1/0x1
6 ACCEPT all β x.x.51.0 0.0.0.0/0 mark match 0x1/0x1
7 ACCEPT all β x.x.51.1 0.0.0.0/0 mark match 0x1/0x1
8 ACCEPT all β x.x.51.3 0.0.0.0/0 mark match 0x1/0x1
Chain fpbxsvc-api (2 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:83
Chain fpbxsvc-api_ssl (2 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:2443
Chain fpbxsvc-chansip (1 references)
num target prot opt source destination
Chain fpbxsvc-ftp (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain fpbxsvc-http (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain fpbxsvc-https (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain fpbxsvc-iax (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:4569
Chain fpbxsvc-isymphony (0 references)
num target prot opt source destination
Chain fpbxsvc-letsencrypt (0 references)
num target prot opt source destination
Chain fpbxsvc-nfs (0 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:2049
2 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049
3 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:892
4 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:662
5 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:32769
6 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:892
7 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:662
8 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:32803
Chain fpbxsvc-ntp (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:123
Chain fpbxsvc-pjsip (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
Chain fpbxsvc-provis (3 references)
num target prot opt source destination
1 fpbxratelimit tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:84
Chain fpbxsvc-provis_ssl (3 references)
num target prot opt source destination
Chain fpbxsvc-restapps (2 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:82
Chain fpbxsvc-restapps_ssl (2 references)
num target prot opt source destination
Chain fpbxsvc-smb (0 references)
num target prot opt source destination
Chain fpbxsvc-sng_phone_svc (3 references)
num target prot opt source destination
Chain fpbxsvc-ssh (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain fpbxsvc-tftp (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:69
Chain fpbxsvc-ucp (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
2 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:8001
Chain fpbxsvc-ucp_ssl (2 references)
num target prot opt source destination
Chain fpbxsvc-vpn (3 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
Chain fpbxsvc-webrtc (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088
2 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089
Chain fpbxsvc-xmpp (3 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222
Chain fpbxsvc-zulu (1 references)
num target prot opt source destination
Chain fpbxtempwhitelist (1 references)
num target prot opt source destination
1 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: TEMPWHITELIST side: source mask: 255.255.255.255
Chain lefilter (1 references)
num target prot opt source destination
1 CONNMARK all β 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x20
2 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 state NEW
3 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 STRING match βGET /.well-known/acme-challenge/β ALGO name kmp FROM 52 TO 53
4 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 STRING match βGET /.freepbx-known/β ALGO name kmp FROM 52 TO 53
5 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain rejsvc-nfs (1 references)
num target prot opt source destination
1 REJECT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable
2 REJECT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 reject-with icmp-port-unreachable
3 REJECT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:892 reject-with icmp-port-unreachable
4 REJECT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:662 reject-with icmp-port-unreachable
5 REJECT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:32769 reject-with icmp-port-unreachable
6 REJECT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:892 reject-with icmp-port-unreachable
7 REJECT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:662 reject-with icmp-port-unreachable
8 REJECT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:32803 reject-with icmp-port-unreachable
Chain rejsvc-smb (1 references)
num target prot opt source destination
Chain zone-external (1 references)
num target prot opt source destination
1 MARK all β 0.0.0.0/0 0.0.0.0/0 MARK or 0x10
2 fpbxsvc-sng_phone_svc all β 0.0.0.0/0 0.0.0.0/0
3 fpbxsvc-vpn all β 0.0.0.0/0 0.0.0.0/0
4 fpbxsvc-xmpp all β 0.0.0.0/0 0.0.0.0/0
Chain zone-internal (0 references)
num target prot opt source destination
1 MARK all β 0.0.0.0/0 0.0.0.0/0 MARK or 0x4
2 fpbxsvc-ssh all β 0.0.0.0/0 0.0.0.0/0
3 fpbxsvc-http all β 0.0.0.0/0 0.0.0.0/0
4 fpbxsvc-https all β 0.0.0.0/0 0.0.0.0/0
5 fpbxsvc-ucp_ssl all β 0.0.0.0/0 0.0.0.0/0
6 fpbxsvc-pjsip all β 0.0.0.0/0 0.0.0.0/0
7 fpbxsvc-chansip all β 0.0.0.0/0 0.0.0.0/0
8 fpbxsvc-iax all β 0.0.0.0/0 0.0.0.0/0
9 fpbxsvc-webrtc all β 0.0.0.0/0 0.0.0.0/0
10 fpbxsvc-api all β 0.0.0.0/0 0.0.0.0/0
11 fpbxsvc-api_ssl all β 0.0.0.0/0 0.0.0.0/0
12 fpbxsvc-ntp all β 0.0.0.0/0 0.0.0.0/0
13 fpbxsvc-sng_phone_svc all β 0.0.0.0/0 0.0.0.0/0
14 fpbxsvc-provis all β 0.0.0.0/0 0.0.0.0/0
15 fpbxsvc-provis_ssl all β 0.0.0.0/0 0.0.0.0/0
16 fpbxsvc-vpn all β 0.0.0.0/0 0.0.0.0/0
17 fpbxsvc-restapps all β 0.0.0.0/0 0.0.0.0/0
18 fpbxsvc-restapps_ssl all β 0.0.0.0/0 0.0.0.0/0
19 fpbxsvc-xmpp all β 0.0.0.0/0 0.0.0.0/0
20 fpbxsvc-ftp all β 0.0.0.0/0 0.0.0.0/0
21 fpbxsvc-tftp all β 0.0.0.0/0 0.0.0.0/0
Chain zone-other (0 references)
num target prot opt source destination
1 MARK all β 0.0.0.0/0 0.0.0.0/0 MARK or 0x8
2 fpbxsvc-ucp_ssl all β 0.0.0.0/0 0.0.0.0/0
3 fpbxsvc-sng_phone_svc all β 0.0.0.0/0 0.0.0.0/0
4 fpbxsvc-provis all β 0.0.0.0/0 0.0.0.0/0
5 fpbxsvc-provis_ssl all β 0.0.0.0/0 0.0.0.0/0
6 fpbxsvc-vpn all β 0.0.0.0/0 0.0.0.0/0
7 fpbxsvc-xmpp all β 0.0.0.0/0 0.0.0.0/0
Chain zone-trusted (13 references)
num target prot opt source destination
1 ACCEPT all β 0.0.0.0/0 0.0.0.0/0
after:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-PBX-GUI all β 0.0.0.0/0 0.0.0.0/0
2 fail2ban-SSH tcp β 0.0.0.0/0 0.0.0.0/0 multiport dports 22
3 fail2ban-apache-auth all β 0.0.0.0/0 0.0.0.0/0
4 fail2ban-FTP tcp β 0.0.0.0/0 0.0.0.0/0 multiport dports 21
5 fail2ban-BadBots tcp β 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
6 fail2ban-api tcp β 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
7 fail2ban-recidive all β 0.0.0.0/0 0.0.0.0/0
8 fail2ban-SIP all β 0.0.0.0/0 0.0.0.0/0
9 fpbxfirewall all β 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain fail2ban-BadBots (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-FTP (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-PBX-GUI (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SIP (1 references)
num target prot opt source destination
1 REJECT all β 128.90.176.214 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all β 128.90.176.114 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all β 43.251.164.226 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all β 128.90.138.191 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all β 128.90.101.107 0.0.0.0/0 reject-with icmp-port-unreachable
6 REJECT all β 128.90.62.214 0.0.0.0/0 reject-with icmp-port-unreachable
7 REJECT all β 192.64.4.24 0.0.0.0/0 reject-with icmp-port-unreachable
8 REJECT all β 128.90.174.123 0.0.0.0/0 reject-with icmp-port-unreachable
9 REJECT all β 69.167.40.126 0.0.0.0/0 reject-with icmp-port-unreachable
10 REJECT all β 128.90.129.56 0.0.0.0/0 reject-with icmp-port-unreachable
11 REJECT all β 128.90.169.191 0.0.0.0/0 reject-with icmp-port-unreachable
12 REJECT all β 128.90.172.40 0.0.0.0/0 reject-with icmp-port-unreachable
13 REJECT all β 128.90.61.122 0.0.0.0/0 reject-with icmp-port-unreachable
14 REJECT all β 128.90.175.134 0.0.0.0/0 reject-with icmp-port-unreachable
15 REJECT all β 128.90.173.180 0.0.0.0/0 reject-with icmp-port-unreachable
16 REJECT all β 31.6.58.133 0.0.0.0/0 reject-with icmp-port-unreachable
17 REJECT all β 103.27.220.68 0.0.0.0/0 reject-with icmp-port-unreachable
18 REJECT all β 128.90.171.71 0.0.0.0/0 reject-with icmp-port-unreachable
19 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-auth (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-api (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-recidive (1 references)
num target prot opt source destination
1 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain fpbx-rtp (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
2 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpts:4000:4999
Chain fpbxattacker (6 references)
num target prot opt source destination
1 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: ATTACKER side: source mask: 255.255.255.255
2 DROP all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxblacklist (1 references)
num target prot opt source destination
1 REJECT all β 109.236.88.47 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all β 163.172.199.135 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all β 185.53.88.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all β 46.166.151.168 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all β 77.234.46.254 0.0.0.0/0 reject-with icmp-port-unreachable
Chain fpbxchecktempwhitelist (1 references)
num target prot opt source destination
1 fpbxtempwhitelist all β 0.0.0.0/0 0.0.0.0/0 ! recent: CHECK name: REPEAT side: source mask: 255.255.255.255
Chain fpbxfirewall (1 references)
num target prot opt source destination
1 ACCEPT all β 0.0.0.0/0 0.0.0.0/0
2 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 connmark match ! 0x20 state RELATED,ESTABLISHED
3 ACCEPT icmp β 0.0.0.0/0 0.0.0.0/0
4 ACCEPT all β 0.0.0.0/0 255.255.255.255
5 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
6 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
7 fpbx-rtp all β 0.0.0.0/0 0.0.0.0/0
8 fpbxblacklist all β 0.0.0.0/0 0.0.0.0/0
9 fpbxsignalling all β 0.0.0.0/0 0.0.0.0/0
10 fpbxsmarthosts all β 0.0.0.0/0 0.0.0.0/0
11 fpbxregistrations all β 0.0.0.0/0 0.0.0.0/0
12 fpbxnets all β 0.0.0.0/0 0.0.0.0/0
13 fpbxhosts all β 0.0.0.0/0 0.0.0.0/0
14 fpbxinterfaces all β 0.0.0.0/0 0.0.0.0/0
15 fpbxreject all β 0.0.0.0/0 0.0.0.0/0
16 fpbxrfw all β 0.0.0.0/0 0.0.0.0/0 mark match 0x2/0x2
17 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
18 lefilter tcp β 0.0.0.0/0 0.0.0.0/0 match-set lefilter dst
19 fpbxlogdrop all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxhosts (1 references)
num target prot opt source destination
1 zone-trusted all β 127.0.0.1 0.0.0.0/0
Chain fpbxinterfaces (1 references)
num target prot opt source destination
1 zone-external all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxknownreg (0 references)
num target prot opt source destination
1 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: REPEAT side: source mask: 255.255.255.255
2 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: ATTACKER side: source mask: 255.255.255.255
3 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
4 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: WHITELIST side: source mask: 255.255.255.255
5 MARK all β 0.0.0.0/0 0.0.0.0/0 MARK or 0x4
6 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0x1
7 fpbxsvc-ucp all β 0.0.0.0/0 0.0.0.0/0
8 fpbxsvc-zulu all β 0.0.0.0/0 0.0.0.0/0
9 fpbxsvc-restapps all β 0.0.0.0/0 0.0.0.0/0
10 fpbxsvc-restapps_ssl all β 0.0.0.0/0 0.0.0.0/0
11 fpbxsvc-provis all β 0.0.0.0/0 0.0.0.0/0
12 fpbxsvc-provis_ssl all β 0.0.0.0/0 0.0.0.0/0
13 fpbxsvc-api all β 0.0.0.0/0 0.0.0.0/0
14 fpbxsvc-api_ssl all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxlogdrop (1 references)
num target prot opt source destination
1 DROP all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxnets (1 references)
num target prot opt source destination
1 zone-trusted all β x.x.1.16 0.0.0.0/0
2 zone-trusted all β x.x1.16 0.0.0.0/0
3 zone-trusted all β x.x.197.2 0.0.0.0/0
4 zone-trusted all β x.x.197.2 0.0.0.0/0
5 zone-trusted all β x.x.2.128 0.0.0.0/0
6 zone-trusted all β x.x.2.128 0.0.0.0/0
7 zone-trusted all β x.x.2.222 0.0.0.0/0
8 zone-trusted all β x.x.2.222 0.0.0.0/0
9 zone-trusted all β x.x.10.0/24 0.0.0.0/0
10 zone-trusted all β x.x.10.0/24 0.0.0.0/0
11 zone-trusted all β x.x.2.0/24 0.0.0.0/0
12 zone-trusted all β x.x.2.0/24 0.0.0.0/0
13 zone-trusted all β x.x.0.0/24 0.0.0.0/0
14 zone-trusted all β x.x.0.0/24 0.0.0.0/0
Chain fpbxratelimit (1 references)
num target prot opt source destination
1 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 mark match 0x4/0x4
2 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
3 all β 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: REPEAT side: source mask: 255.255.255.255
4 all β 0.0.0.0/0 0.0.0.0/0 state NEW recent: SET name: DISCOVERED side: source mask: 255.255.255.255
5 LOG all β 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
6 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
7 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 200 name: REPEAT side: source mask: 255.255.255.255
8 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 300 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
9 fpbxshortblock all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
10 ACCEPT all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxregistrations (1 references)
num target prot opt source destination
Chain fpbxreject (1 references)
num target prot opt source destination
1 rejsvc-nfs all β 0.0.0.0/0 0.0.0.0/0
2 rejsvc-smb all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxrfw (1 references)
num target prot opt source destination
1 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: DISCOVERED side: source mask: 255.255.255.255
2 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
3 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 90 hit_count: 1 name: TEMPWHITELIST side: source mask: 255.255.255.255
4 fpbxchecktempwhitelist all β 0.0.0.0/0 0.0.0.0/0 ! recent: CHECK seconds: 86400 name: TEMPWHITELIST side: source mask: 255.255.255.255
5 all β 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
6 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: REPEAT side: source mask: 255.255.255.255
7 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 10 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
8 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
9 fpbxshortblock all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 60 hit_count: 10 name: SIGNALLING side: source mask: 255.255.255.255
10 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: SIGNALLING side: source mask: 255.255.255.255
11 fpbxattacker all β 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
12 ACCEPT all β 0.0.0.0/0 0.0.0.0/0
Chain fpbxshortblock (2 references)
num target prot opt source destination
1 all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: CLAMPED side: source mask: 255.255.255.255
2 REJECT all β 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain fpbxsignalling (1 references)
num target prot opt source destination
1 MARK udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 MARK set 0x3
Chain fpbxsmarthosts (1 references)
num target prot opt source destination
1 ACCEPT all β x.x.60.2 0.0.0.0/0 mark match 0x1/0x1
2 ACCEPT all β x.x.60.0 0.0.0.0/0 mark match 0x1/0x1
3 ACCEPT all β x.x.60.1 0.0.0.0/0 mark match 0x1/0x1
4 ACCEPT all β x.x.60.3 0.0.0.0/0 mark match 0x1/0x1
5 ACCEPT all β x.x.51.2 0.0.0.0/0 mark match 0x1/0x1
6 ACCEPT all β x.x.51.0 0.0.0.0/0 mark match 0x1/0x1
7 ACCEPT all β x.x.51.1 0.0.0.0/0 mark match 0x1/0x1
8 ACCEPT all β x.x.51.3 0.0.0.0/0 mark match 0x1/0x1
Chain fpbxsvc-api (2 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:83
Chain fpbxsvc-api_ssl (2 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:2443
Chain fpbxsvc-chansip (1 references)
num target prot opt source destination
Chain fpbxsvc-ftp (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
Chain fpbxsvc-http (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain fpbxsvc-https (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain fpbxsvc-iax (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:4569
Chain fpbxsvc-isymphony (0 references)
num target prot opt source destination
Chain fpbxsvc-letsencrypt (0 references)
num target prot opt source destination
Chain fpbxsvc-nfs (0 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:2049
2 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049
3 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:892
4 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:662
5 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:32769
6 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:892
7 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:662
8 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:32803
Chain fpbxsvc-ntp (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:123
Chain fpbxsvc-pjsip (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
Chain fpbxsvc-provis (3 references)
num target prot opt source destination
1 fpbxratelimit tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:84
Chain fpbxsvc-provis_ssl (3 references)
num target prot opt source destination
Chain fpbxsvc-restapps (2 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:82
Chain fpbxsvc-restapps_ssl (2 references)
num target prot opt source destination
Chain fpbxsvc-smb (0 references)
num target prot opt source destination
Chain fpbxsvc-sng_phone_svc (3 references)
num target prot opt source destination
Chain fpbxsvc-ssh (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain fpbxsvc-tftp (1 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:69
Chain fpbxsvc-ucp (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:81
2 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:8001
Chain fpbxsvc-ucp_ssl (2 references)
num target prot opt source destination
Chain fpbxsvc-vpn (3 references)
num target prot opt source destination
1 ACCEPT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
Chain fpbxsvc-webrtc (1 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:8088
2 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089
Chain fpbxsvc-xmpp (3 references)
num target prot opt source destination
1 ACCEPT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222
Chain fpbxsvc-zulu (1 references)
num target prot opt source destination
Chain fpbxtempwhitelist (1 references)
num target prot opt source destination
1 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 recent: SET name: TEMPWHITELIST side: source mask: 255.255.255.255
Chain lefilter (1 references)
num target prot opt source destination
1 CONNMARK all β 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK set 0x20
2 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 state NEW
3 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 STRING match βGET /.well-known/acme-challenge/β ALGO name kmp FROM 52 TO 53
4 ACCEPT all β 0.0.0.0/0 0.0.0.0/0 STRING match βGET /.freepbx-known/β ALGO name kmp FROM 52 TO 53
5 RETURN all β 0.0.0.0/0 0.0.0.0/0
Chain rejsvc-nfs (1 references)
num target prot opt source destination
1 REJECT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 reject-with icmp-port-unreachable
2 REJECT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 reject-with icmp-port-unreachable
3 REJECT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:892 reject-with icmp-port-unreachable
4 REJECT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:662 reject-with icmp-port-unreachable
5 REJECT udp β 0.0.0.0/0 0.0.0.0/0 udp dpt:32769 reject-with icmp-port-unreachable
6 REJECT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:892 reject-with icmp-port-unreachable
7 REJECT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:662 reject-with icmp-port-unreachable
8 REJECT tcp β 0.0.0.0/0 0.0.0.0/0 tcp dpt:32803 reject-with icmp-port-unreachable
Chain rejsvc-smb (1 references)
num target prot opt source destination
Chain zone-external (1 references)
num target prot opt source destination
1 MARK all β 0.0.0.0/0 0.0.0.0/0 MARK or 0x10
2 fpbxsvc-sng_phone_svc all β 0.0.0.0/0 0.0.0.0/0
3 fpbxsvc-vpn all β 0.0.0.0/0 0.0.0.0/0
4 fpbxsvc-xmpp all β 0.0.0.0/0 0.0.0.0/0
Chain zone-internal (0 references)
num target prot opt source destination
1 MARK all β 0.0.0.0/0 0.0.0.0/0 MARK or 0x4
2 fpbxsvc-ssh all β 0.0.0.0/0 0.0.0.0/0
3 fpbxsvc-http all β 0.0.0.0/0 0.0.0.0/0
4 fpbxsvc-https all β 0.0.0.0/0 0.0.0.0/0
5 fpbxsvc-ucp_ssl all β 0.0.0.0/0 0.0.0.0/0
6 fpbxsvc-pjsip all β 0.0.0.0/0 0.0.0.0/0
7 fpbxsvc-chansip all β 0.0.0.0/0 0.0.0.0/0
8 fpbxsvc-iax all β 0.0.0.0/0 0.0.0.0/0
9 fpbxsvc-webrtc all β 0.0.0.0/0 0.0.0.0/0
10 fpbxsvc-api all β 0.0.0.0/0 0.0.0.0/0
11 fpbxsvc-api_ssl all β 0.0.0.0/0 0.0.0.0/0
12 fpbxsvc-ntp all β 0.0.0.0/0 0.0.0.0/0
13 fpbxsvc-sng_phone_svc all β 0.0.0.0/0 0.0.0.0/0
14 fpbxsvc-provis all β 0.0.0.0/0 0.0.0.0/0
15 fpbxsvc-provis_ssl all β 0.0.0.0/0 0.0.0.0/0
16 fpbxsvc-vpn all β 0.0.0.0/0 0.0.0.0/0
17 fpbxsvc-restapps all β 0.0.0.0/0 0.0.0.0/0
18 fpbxsvc-restapps_ssl all β 0.0.0.0/0 0.0.0.0/0
19 fpbxsvc-xmpp all β 0.0.0.0/0 0.0.0.0/0
20 fpbxsvc-ftp all β 0.0.0.0/0 0.0.0.0/0
21 fpbxsvc-tftp all β 0.0.0.0/0 0.0.0.0/0
Chain zone-other (0 references)
num target prot opt source destination
1 MARK all β 0.0.0.0/0 0.0.0.0/0 MARK or 0x8
2 fpbxsvc-ucp_ssl all β 0.0.0.0/0 0.0.0.0/0
3 fpbxsvc-sng_phone_svc all β 0.0.0.0/0 0.0.0.0/0
4 fpbxsvc-provis all β 0.0.0.0/0 0.0.0.0/0
5 fpbxsvc-provis_ssl all β 0.0.0.0/0 0.0.0.0/0
6 fpbxsvc-vpn all β 0.0.0.0/0 0.0.0.0/0
7 fpbxsvc-xmpp all β 0.0.0.0/0 0.0.0.0/0
Chain zone-trusted (15 references)
num target prot opt source destination
1 ACCEPT all β 0.0.0.0/0 0.0.0.0/0
Your fail2ban chains operate before your firewall chains, look for a REJECT that might impact you in any of them.
The one that was being blocked was in the fail2ban-sip but I think I cleared it before I took this. It was one of the ones in fpbxnets that got deleted when it started writing every other one twice and skipping the ones that dont get doubled.
I never mess with these manually. If they got reversed, something had to do it that way programmatically. I have disabled my nightly updates, which is the only thing on the system that does anything but operate in pretty much out of the box configuration.