vicidial.org

[escondido]

I'm having a really hard time getting Vicibox to allow traffic from a new provider that utilizes ip address authorization. I added their ip addresses to iptables as follows.

iptables -A INPUT -p udp -m udp -s term.skyetel.com --dport 5060:5069 -j ACCEPT

iptables -A INPUT -p udp -m udp -s 52.41.52.34/24 --dport 5060:5069 -j ACCEPT

iptables -A INPUT -p udp -m udp -s 52.8.201.128/24 --dport 5060:5069 -j ACCEPT

iptables -A INPUT -p udp -m udp -s 50.17.48.216/24 --dport 5060:5069 -j ACCEPT

Iptables-save

I confirmed the ip addresses are listed per "iptables -vnL" However, if I reboot the server those ip addresses are deleted. I'm not sure why. The only way I'm able to see them listed as reachable per "sip show peers" is if I turn off the firewall "sudo /sbin/rcSuSEfirewall2 stop." Obviously, that's not ideal.

I then entered the same ip addresses using yast firewall, via Custom Rules. Entry looks like the following.

Source Network Protocol Destination Port Source Port Options
52.41.52.34/24 5060 5060 x
52.8.201.128/24 5060 5060 x
50.17.48.216/24 5060 5060 x

Unfortunately, that doesn't work either. Anybody else encounter the same issue and know how to make them reachable?

[ThirdRockTelecom]

Have you considered using PoundTeam's Dynamic Good Guys to protect your system? William Conely can get you more info.

[williamconley]

other implementations of iptables have an auto-save feature. opensuse's implementation does not. it has a rather interesting group of configuration files used to support the iptables-based YAST firewall implementation.

so use yast firewall's "custom" pane to add UDP opens for the ips in question (it's not really necessary to specify the specific ports, just open UDP)

or (of course) you could install Dynamic Good Guys firewall which makes opening individual IPs pretty simple, but starts with locking down the yast firewall as a prerequisite. DGG is really just a couple pages to make it easier to get through the firewall, the lockdown happens first and includes instructions for hard-coding of "these need to stay ON" during the install (eg: your home IP address should not be in a place where someone may accidentally delete it in an overly simple interface).

[escondido]

I appreciate the information. I added just the ip addresses/UDP as an External Zone. Restart and save doesn't show a change for some odd reason. This is quickly becoming annoying.

I'm gonna give DGG a try and see what happens.

[williamconley]

if you added them the same way, as I said previously, that's not going to be saved. only changes in yast firewall will be changed after reboot. opensuse's startup process builds the firewall from their configuration files.

dgg install contains some of the file names and instructions on how to save changes to various areas of the firewall (even if you don't actually install dgg, that's useful!)

[escondido]

I just entered the ip addresses into yast firewall after selecting the CUSTOM RULES section. I only selected UDP for them. Then went to Start-Up and selected "Save settings and restart Firewall now." That is the section you're talking about, right? Asterisk shows them as unreachable still.

Then I rebooted the server and all of them showed OK at first, and then Asterisk shows me the following

[Jul 1 19:46:26] NOTICE[1981]: chan_sip.c:30180 sip_poke_noanswer: Peer 'SkyetelVA' is now UNREACHABLE! Last qualify: 32
[Jul 1 19:46:26] NOTICE[1981]: chan_sip.c:30180 sip_poke_noanswer: Peer 'SkyetelCA' is now UNREACHABLE! Last qualify: 40
[Jul 1 19:46:26] NOTICE[1981]: chan_sip.c:30180 sip_poke_noanswer: Peer 'SkyetelOR' is now UNREACHABLE! Last qualify: 62
[Jul 1 19:46:27] NOTICE[1981]: chan_sip.c:30180 sip_poke_noanswer: Peer 'SkyetelTERM' is now UNREACHABLE! Last qualify: 1061

Those entries are part of the dial plan since I did not provider any names for the ip addresses using yast firewall. The ip addresses should be whitelisted since they are listed. Went back into yast firewall and disabled it to see what happens. All of the ip addresses immediately become reachable. WTF, ya know lol.

Gonna read over the DGG documentation. This is driving me nuts.

[williamconley]

firewall doesn't make them "REACHABLE". Firewall allows them to send you packets even if you haven't sent them packets first. The stock firewall allows returning packets from someone you've sent a packet to. None of that is related to "REACHABLE" directly. REACHABLE is achieved when they receive your qualify packet and respond to it and you receive the response. But since the built in firewall specifically allows responses, nothing we are doing here was related to REACHABLE in the first place.

However: externip=SERVER_PUBLIC_IP in /etc/asterisk/sip.conf is directly related to REACHABLE, as are other firewall settings (if you have modified the standard opensuse firewall, that is). Additionally, NAT (if your server is on a private IP instead of directly on a public IP) is also related. And of course the carrier has to send you that return packet.

Return packet is not something you can control from This Side: that you can test by turning OFF the firewall for a minute, if the sip account is still UNREACHABLE the firewall is not involved directly as "the problem". (Perhaps A problem, but not The problem. lol) So you'd have to get REACHABLE resolved first, then turn on the firewall and see if the firewall breaks it again and adjust the firewall. However: Stock Vicidial has no problem with outbound calls, as a rule, since it's designed to allow the server to communicate with any IP to which it reaches out. But an outside IP initiating the connection requires authorization (definition of whitelisting).

Of course, you can always change qualify=no but then there will be no verification of a connection. I've only seen one or two carriers in ten years that don't respond to qualify packets but do allow calling.