v15 latest updates. I thought I created the perfect iptables solution where I inserted a custom chain on iptables built-in INPUT chain line 1 via a cron that runs every minute. The idea being that anything I put in that custom chain would be evaluated by iptables BEFORE freepbx firewall rules.
Now that doesn’t seem to work. Maybe it never did and I just didn’t notice? Freepbx firewall module keeps removing my custom chain and rules every minute or two when its cron runs. So my cron, that runs every minute, is constantly fighting with the freepbx firewall cron.
Is it possible to permanently override the freepbx firewall iptables rules, if need be, from command line and prevent freepbx firewall module from deleting/overwriting it? It needs to be done from command line by a root user. Not in the application. It also needs to work regardless of if freepbx firewall module is installed and enabled or not. I can’t have a situation where it is installed or re-installed or something is changed in freepbx firewall module and an update breaks my configuration.
In summary, all I am asking is to be able to add my own iptables rules that take precedent and can co-exist and live in harmony with freepbx firewall module rules, if need be, without freepbx and firewall module forcing me to try do that through the UI. I don’t think that is too much to ask.
I need to do configuration management on the server using Ansible and also by issuing SSH commands directly. This needs to be done by root on linux directly, completely independent of any installed applications, such as freepbx.
This needs to be completely separate from anything someone administering FreePBX via the UI would know or care about, so I can’t have a situation where my configuration tools lose access to SSH because someone enables responsive firewall or because it gets banned by fail2ban or whatever.
You think linux administration = “sorcery”? I guess I should change my handle to Gandalf.
mostly fair, but fail2ban specifically shouldnt black-hole your ansible connection unless you’re using a common VPN Endpoint, in which case you likely should have whitelisted your VPN ingress already in the system-admin module.
you specifically mentoned your config tool (i.e. ansible in this case) could lose access if it gets banned by fail2ban
mentioned VPN as this bit us recently with fail2ban. single-user fail cases are find and dandy, but 100+ users reaching services on the phone server, the default “5 bad auth attempts = ban” was horrible if we used IP_forwarding (all traffic was “From” the VPN endpoint)
it sounds very much like you’d be better off disabling the firewall and intrusion_detection and hand-rolling it.
It’s actually /etc/firewall-4.rules now. I just noticed that my custom chain/rules are not deleted when I enable custom rules in the UI (Firewall > Advanced > Advanced Settings > Custom Firewall Rules), which then creates /etc/firewall-4.rules. So I think I just need to figure out how to always force custom rules to be enabled.
@Gandalf:
I think that if you are fighting the FreePBX firewall (some of which is closed source) so you are mostly BYHATW, (Between Your Host And The Wall). If you want to be in charge, just disable/uninstall/delete the FreePBX firewall, (don’t let FPBX write your rules , write and save your own)