- 1 Stage One: Confirm Administrator Access Override
- 2 Allow Apache to add "Good Guys"
- 3 Troubleshooting
Stage One: Confirm Administrator Access Override
AKA: Be sure YOU can ALWAYS get into the box in case you make a mistake
Test - Start with a Freshly Rebooted Server
- Verify access the server normally with web browser
- Enter the same web page into the megaproxy service (don't forget to use in private browsing or some such). Verify that they can also get to the login page. "HideMyAss.com" is another proxy service that can be used (any proxy service will do, as will an iPad or other tablet using non-local Wifi or 3G/4G signal access).
Purpose: When you start, both you and the Proxy can get in. When you finish, The Proxy will NOT be able to get to the page, but you will.
Activate Custom Firewall Hooks
nano +874 /etc/sysconfig/SuSEfirewall2
to (move the #)
Turn off Ping
nano +730 /etc/sysconfig/SuSEfirewall2
to (yes to no)
Turn off Auth port 113
nano +415 /etc/sysconfig/SuSEfirewall2
to (clean out)
Turn off SourceQuench
nano +769 /etc/sysconfig/SuSEfirewall2
to (blank to no)
Add Administrator Access using Custom Hooks
nano +45 /etc/sysconfig/scripts/SuSEfirewall2-custom
in "fw_custom_before_port_handling()" function add this above "true":
iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I INPUT 1 -s office2.poundteam.com -p all -j ACCEPT iptables -I INPUT 1 -s office3.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT
- Substitute YOUR ip address
This is how it will look when you are done:
# ports before the SuSEfirewall2 generated rules are hit. iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I INPUT 1 -s office2.poundteam.com -p all -j ACCEPT iptables -I INPUT 1 -s office3.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT true
Allow Apache to add "Good Guys"
echo "options ipt_recent ip_list_perms=0777" > /etc/modprobe.d/90-ipt_recent.conf
- this will create a new file (/etc/modprobe.d/90-ipt_recent.conf) with the line "options ipt_recent ip_list_perms=0777" in it.
- OpenSuSE: Used to make /proc/net/xt_recent/GOOD modifiable by all users instead of just root
- Ubuntu: Used to make /proc/net/ipt_recent/GOOD modifiable by all users instead of just root
Deactive "Anyone" Services
If you have more than one IP address / Network Card: Be sure the External IP address is in the External Zone and the Private IP address (ie: 192.168.x.x or 10.x.x.x) is in the Internal Zone). This may require a quick trip to ifconfig to be sure you have identified eth0 and eth1 properly.
- "Tab" until you have highlighted "HTTP Server" and hit "Alt-t" (which is delete)
- Yes, I really want to delete the selected entry (enter to select yes)
- "Alt-t" again for HTTPS and delete it as well.
- DO NOT remove Secure Shell Server (that's SSH!!)
- Do not remove SSH from this list until you have verified that you have full access to the web page, but noone else does. Leaving ssh available during this process, until after full "whitelist" is confirmed, is the best way to be sure you don't lock yourself out!
Advanced Services (inside Allowed Services)
- "Alt-d" to select the Additional Allowed Ports popup
- This section should have NO entries when you're finished!
- "Tab" until you have highlighted the TCP Ports.
- Backspace to delete the ports listed.
- "Tab" until you have highlighted the UPD Ports (10000:20000 4569 5060:5069)
- Backspace to delete the ports listed (port 22 is not in this list, so you are not removing YOUR ability to get into the system with SSH)
- "Alt-O" (O as in Oscar, not Zero) for "Ok" to exit this panel
- "Alt-N" for "Next" to accept changes made
- "Alt-F" for "Finish" to accept changes made again
- "Alt-Q" to quit and return to Command Line mode
- For adding CLIENT IP addresses and ranges, which are distinct from the "Company" IPs added directly in the conf files. This entry is for IP addresses such as roaming agents or new call centers. They can be easily removed without altering a conf file.
- Firewall Zone: External Zone
- "Alt-A" to add a new allowing rule. Each rule must be added TWICE: Once for TCP and once for UDP. Destination and source port should be left blank.
Sample IP range:
Save and exit and verify
- "Alt-N" for "Next"
- "Alt-F" for "Finish" (or just "Enter")
Verify that the Company IP addresses appear first in "INPUT" and any client IP addresses appear TWICE in "input_ext"
- Note: Domain Names will be translated to IP addresses automatically.
ls /proc/net/xt_recent/GOOD -l
Verify that file is world read/write (rwxrwcrwx)
REBOOT and Verify Access
- Enter the same web page into the megaproxy service. Verify that they can no longer get to the login page except from authorized IP addresses.
Poundteam Standard Installation Stops here
Connections still occurring for systems NOT in GoodGuy list
When asterisk is monitoring an extension for round trip packet time (qualify=yes or qualify=100 for 100NS limit): Asterisk will create an internal database entry in /SIP/Registry for each phone. The internal database is persistent and will not be deleted by a reboot. Deleting phones from sip.conf will not delete these entries. Asterisk will load these entries to ?? and use the information to "ping" each of the sip phones in question (to check lag time) on a scheduled basis.
Conntrack (the iptables module that determines the "state" of a connection) will consider the "outbound" (and unregulated!) packet to be a "connection request" which means it is "established". Any returning packet on the same port from the same SIP phone will result in success, because that IP/Port is now "Established". Even though there is no sip phone in sip.conf and no listing in "Good Guys" for this system.
asterisk -rx "database deltree SIP/Registry"
- Followed by a reboot.
- After this, any phones added to that database will be fresh from the present sip.conf files
- Remember that the qualify=yes only takes effect AFTER the SIP system knows the IP to reach the phone.
- For an "Established" connection to be created from a static IP sip device, port 5060 must be pointed to that specific phone. Otherwise, you must create a good guy entry for the entire IP manually.
Ordinarily this is not an issue, as anyone in the database should be a "friend", but if you are trying to cut off prior users of the system this may be a necessary step.