Whitelist

=Stage One: Confirm Administrator Access Override= AKA: Be sure YOU can ALWAYS get into the box in case you make a mistake

Test - Start with a Freshly Rebooted Server
'''Purpose: When you start, both you and the Proxy can get in. When you finish, The Proxy will NOT be able to get to the page, but you will.'''
 * Verify access the server normally with web browser
 * http://YourServerIP/vicidial/welcome.php
 * Enter the same web page into the megaproxy service (don't forget to use in private browsing or some such). Verify that they can also get to the login page. "HideMyAss.com" is another proxy service that can be used (any proxy service will do, as will an iPad or other tablet using non-local Wifi or 3G/4G signal access).
 * http://www.megaproxy.com/freesurf/

Activate Custom Firewall Hooks
nano +874 /etc/sysconfig/SuSEfirewall2 change FW_CUSTOMRULES="" to (move the #) FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
 * 1) FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
 * 1) FW_CUSTOMRULES=""

Turn off Ping
nano +730 /etc/sysconfig/SuSEfirewall2 change FW_ALLOW_PING_FW="yes" to (yes to no) FW_ALLOW_PING_FW="no"

Turn off Auth port 113
nano +415 /etc/sysconfig/SuSEfirewall2 change FW_SERVICES_REJECT_EXT="0/0,tcp,113" to (clean out) FW_SERVICES_REJECT_EXT=""

Turn off SourceQuench
nano +769 /etc/sysconfig/SuSEfirewall2 change FW_ALLOW_FW_SOURCEQUENCH="" to (blank to no) FW_ALLOW_FW_SOURCEQUENCH="no"

Add Administrator Access using Custom Hooks
nano +45 /etc/sysconfig/scripts/SuSEfirewall2-custom in "fw_custom_before_port_handling" function add this above "true": iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I INPUT 1 -s office2.poundteam.com -p all -j ACCEPT iptables -I INPUT 1 -s office3.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT This is how it will look when you are done: iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I INPUT 1 -s office2.poundteam.com -p all -j ACCEPT iptables -I INPUT 1 -s office3.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT true
 * Substitute YOUR ip address
 * 1) ports before the SuSEfirewall2 generated rules are hit.

=Allow Apache to add "Good Guys"= Permissions issues! echo "options ipt_recent ip_list_perms=0777" > /etc/modprobe.d/90-ipt_recent.conf
 * this will create a new file (/etc/modprobe.d/90-ipt_recent.conf) with the line "options ipt_recent ip_list_perms=0777" in it.
 * OpenSuSE: Used to make /proc/net/xt_recent/GOOD modifiable by all users instead of just root
 * Ubuntu: Used to make /proc/net/ipt_recent/GOOD modifiable by all users instead of just root

In Yast
yast firewall

Interfaces
If you have more than one IP address / Network Card: Be sure the External IP address is in the External Zone and the Private IP address (ie: 192.168.x.x or 10.x.x.x) is in the Internal Zone). This may require a quick trip to ifconfig to be sure you have identified eth0 and eth1 properly.

Allowed Services

 * "Tab" until you have highlighted "HTTP Server" and hit "Alt-t" (which is delete)
 * Yes, I really want to delete the selected entry (enter to select yes)
 * "Alt-t" again for HTTPS and delete it as well.
 * DO NOT remove Secure Shell Server (that's SSH!!)
 * Do not remove SSH from this list until you have verified that you have full access to the web page, but noone else does. Leaving ssh available during this process, until after full "whitelist" is confirmed, is the best way to be sure you don't lock yourself out!

Advanced Services (inside Allowed Services)

 * "Alt-d" to select the Additional Allowed Ports popup
 * This section should have NO entries when you're finished!
 * "Tab" until you have highlighted the TCP Ports.
 * Backspace to delete the ports listed.
 * "Tab" until you have highlighted the UPD Ports (10000:20000 4569 5060:5069)
 * Backspace to delete the ports listed (port 22 is not in this list, so you are not removing YOUR ability to get into the system with SSH)
 * "Alt-O" (O as in Oscar, not Zero) for "Ok" to exit this panel
 * "Alt-N" for "Next" to accept changes made
 * "Alt-F" for "Finish" to accept changes made again
 * "Alt-Q" to quit and return to Command Line mode

Custom Rules
Sample IP range: 72.72.67.0/24
 * For adding CLIENT IP addresses and ranges, which are distinct from the "Company" IPs added directly in the conf files. This entry is for IP addresses such as roaming agents or new call centers. They can be easily removed without altering a conf file.
 * Firewall Zone: External Zone
 * "Alt-A" to add a new allowing rule. Each rule must be added TWICE: Once for TCP and once for UDP. Destination and source port should be left blank.

Save and exit and verify
iptables-save Verify that the Company IP addresses appear first in "INPUT" and any client IP addresses appear TWICE in "input_ext" ls /proc/net/xt_recent/GOOD -l Verify that file is world read/write (rwxrwcrwx)
 * "Alt-N" for "Next"
 * "Alt-F" for "Finish" (or just "Enter")
 * Note: Domain Names will be translated to IP addresses automatically.

REBOOT and Verify Access
rcSuSEfirewall2 restart
 * http://YourServerIP/vicidial/welcome.php
 * http://www.megaproxy.com/freesurf/
 * Enter the same web page into the megaproxy service. Verify that they can no longer get to the login page except from authorized IP addresses.

Poundteam Standard Installation Stops here
=Troubleshooting=

Connections still occurring for systems NOT in GoodGuy list
Concept:

When asterisk is monitoring an extension for round trip packet time (qualify=yes or qualify=100 for 100NS limit): Asterisk will create an internal database entry in /SIP/Registry for each phone. The internal database is persistent and will not be deleted by a reboot. Deleting phones from sip.conf will not delete these entries. Asterisk will load these entries to ?? and use the information to "ping" each of the sip phones in question (to check lag time) on a scheduled basis.

Conntrack (the iptables module that determines the "state" of a connection) will consider the "outbound" (and unregulated!) packet to be a "connection request" which means it is "established". Any returning packet on the same port from the same SIP phone will result in success, because that IP/Port is now "Established". Even though there is no sip phone in sip.conf and no listing in "Good Guys" for this system.

Solution
asterisk -rx "database deltree SIP/Registry"
 * Followed by a reboot.
 * After this, any phones added to that database will be fresh from the present sip.conf files
 * Remember that the qualify=yes only takes effect AFTER the SIP system knows the IP to reach the phone.
 * For an "Established" connection to be created from a static IP sip device, port 5060 must be pointed to that specific phone. Otherwise, you must create a good guy entry for the entire IP manually.

Note
Ordinarily this is not an issue, as anyone in the database should be a "friend", but if you are trying to cut off prior users of the system this may be a necessary step.