How to override iptables rules outside of firewall module?

v15 latest updates. I thought I created the perfect iptables solution where I inserted a custom chain on iptables built-in INPUT chain line 1 via a cron that runs every minute. The idea being that anything I put in that custom chain would be evaluated by iptables BEFORE freepbx firewall rules.

Now that doesn’t seem to work. Maybe it never did and I just didn’t notice? Freepbx firewall module keeps removing my custom chain and rules every minute or two when its cron runs. So my cron, that runs every minute, is constantly fighting with the freepbx firewall cron.

Is it possible to permanently override the freepbx firewall iptables rules, if need be, from command line and prevent freepbx firewall module from deleting/overwriting it? It needs to be done from command line by a root user. Not in the application. It also needs to work regardless of if freepbx firewall module is installed and enabled or not. I can’t have a situation where it is installed or re-installed or something is changed in freepbx firewall module and an update breaks my configuration.

In summary, all I am asking is to be able to add my own iptables rules that take precedent and can co-exist and live in harmony with freepbx firewall module rules, if need be, without freepbx and firewall module forcing me to try do that through the UI. I don’t think that is too much to ask.

do you have an /etc/iptables/rules.v4 file?
its possible that iptables-persistent is whats getting you.

Also, what sorcery are you doing on your pbx that needs custom iptables rules?

I need to do configuration management on the server using Ansible and also by issuing SSH commands directly. This needs to be done by root on linux directly, completely independent of any installed applications, such as freepbx.

This needs to be completely separate from anything someone administering FreePBX via the UI would know or care about, so I can’t have a situation where my configuration tools lose access to SSH because someone enables responsive firewall or because it gets banned by fail2ban or whatever.

You think linux administration = “sorcery”? I guess I should change my handle to Gandalf.

mostly fair, but fail2ban specifically shouldnt black-hole your ansible connection unless you’re using a common VPN Endpoint, in which case you likely should have whitelisted your VPN ingress already in the system-admin module.

I didn’t say fail2ban is doing anything. I just said that was a possibility because that’s what fail2ban does.

VPNs have nothing to do with anything I am doing.

you specifically mentoned your config tool (i.e. ansible in this case) could lose access if it gets banned by fail2ban

mentioned VPN as this bit us recently with fail2ban. single-user fail cases are find and dandy, but 100+ users reaching services on the phone server, the default “5 bad auth attempts = ban” was horrible if we used IP_forwarding (all traffic was “From” the VPN endpoint)

it sounds very much like you’d be better off disabling the firewall and intrusion_detection and hand-rolling it.

Not using those things is not an option. I would not have opened this thread if it were.

extracted from fail2ban’s jail.conf

# Specify chain where jumps would need to be added in ban-actions expecting parameter chain                                                                                                    
chain = <known/chain>

If you don’t have FreePBX firewall running then change that to wherever you want your Fail2Ban chains and yiu are back in control.

Thank you. I will look into that.

It’s actually /etc/firewall-4.rules now. I just noticed that my custom chain/rules are not deleted when I enable custom rules in the UI (Firewall > Advanced > Advanced Settings > Custom Firewall Rules), which then creates /etc/firewall-4.rules. So I think I just need to figure out how to always force custom rules to be enabled.

I think that if you are fighting the FreePBX firewall (some of which is closed source) so you are mostly BYHATW, (Between Your Host And The Wall). If you want to be in charge, just disable/uninstall/delete the FreePBX firewall, (don’t let FPBX write your rules , write and save your own)

Enable custom rules under the advanced tab

Adding custom rules via Ansible. Not the GUI.


To prevent the firewall from deleting rules that invade, this setting needs to be enabled

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.