Debian Install - Firewall issue

Discussion in '3CX Phone System - General' started by complex1, Mar 3, 2017.

Thread Status:
Not open for further replies.
  1. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    752
    Likes Received:
    38
    Hi,

    This is for me the first time I have install Debian with the ISO provided by 3CX.
    All went well but I want to use a other listen port, not 5060.
    But after change this port in 3CX, reboot the system the firewall checker failed.
    It expect that port 5060 is open, but this is a other port.
    I have read that something has to be changed in iptables(?), but I don’t know how or where I can find this table.
    All ports can be left as default, except port 5060.
    For me Windows is no problem, but Linux is a different story.

    Hope somebody can advise me how to do this.

    Thanks for the help.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. mainc

    Joined:
    Jul 27, 2011
    Messages:
    3
    Likes Received:
    0
    I've been having a firewall failing even when we turn off our UTM's firewall COMPLETELY! There has also been no help from 3CX whatsoever. Very disappointed over here and I welcome contact from 3CX. Very buggy Linux distro at this point in time. Thinking about going with a different platform at this point.
     
  3. Elvin Mammadov

    Joined:
    Feb 3, 2017
    Messages:
    42
    Likes Received:
    1
    I am having the same issue, couldn't find any solution yet.
     
  4. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    448
    Likes Received:
    20
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. andreaschr

    andreaschr Support Team
    Staff Member 3CX Support

    Joined:
    Oct 26, 2015
    Messages:
    93
    Likes Received:
    6
    Hi there,

    complex1:

    just run the flowing command from the terminal:

    for UDP
    iptables -I INPUT 1 -i eth0 -p udp --dport [_PORT_] -j ACCEPT
    for TCP
    iptables -I INPUT 1 -i eth0 -p tcp --dport [_PORT_] -j ACCEPT

    example for port 6060:

    iptables -I INPUT 1 -i eth0 -p udp --dport 6060 -j ACCEPT
    iptables -I INPUT 1 -i eth0 -p tcp --dport 6060 -j ACCEPT

    that's all but if you need to update the previous Iptable and close port 5060 and open 6060 you need to do something that requires more steps.

    mainc: I don't understand your comment
    "Very buggy Linux distro at this point in time"
    If you have any issues please feel free to reach out to 3CX Support.
     
  6. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    752
    Likes Received:
    38
    Hi andreaschr,

    Thank you very much for your answer.
    These commands are exactly what I was looking for.
    Now I can use them with confidence, without the iptable becomes corrupted.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. m_mellon

    Joined:
    Mar 13, 2017
    Messages:
    2
    Likes Received:
    0
    The 3CX provided Deb distro leaves out a few desired options. One of which is the ability to access the server as a user. While the OS setup allows you to create a root user, logins are not enabled for said root user. It always bounces back, both via SSH and by hooking a monitor and keyboard up to the physical box. Also it does not allow the option to choose a disk to install GRUB. In my experience, the OS installer automatically /dev/sda, which turns out to be the Deb Live disk. It errored out each time and I ended up having to go with LiLo.

    Among other differences, using a standard Debian ISO provides me the option to build the server as it should be, and THEN I install 3CX over top.

    And yes, it is a dedicated server. No other roles occupy this server.
     
  8. Elvin Mammadov

    Joined:
    Feb 3, 2017
    Messages:
    42
    Likes Received:
    1
    I added this into iptables, but after restart, I see it has not been saved.
     
  9. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    752
    Likes Received:
    38
    @Elvin Mammadov

    After changing the iptable, try this command:

    iptables-save > /etc/iptables/rules.v4
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Elvin Mammadov

    Joined:
    Feb 3, 2017
    Messages:
    42
    Likes Received:
    1
    Thank you very much. I could save iptables. I also tried this options to open tcp and udp port in iptables:
    1. iptables -I INPUT -p tcp --dport 5062 --syn -j ACCEPT
    2. iptables -I INPUT -p udp --dport 5062 -j ACCEPT

    Is this method same as you offered?
    iptables -I INPUT -p tcp --dport 5062 --syn -j ACCEPT = iptables -I INPUT 1 -i eth0 -p udp --dport 6060 -j ACCEPT ?
     
  11. Sopock

    Sopock Member

    Joined:
    Jul 11, 2012
    Messages:
    448
    Likes Received:
    20
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Elvin Mammadov

    Joined:
    Feb 3, 2017
    Messages:
    42
    Likes Received:
    1
    I mean, you offered following methods to open port in iptables;
    iptables -I INPUT 1 -i eth0 -p udp --dport 6060 -j ACCEPT
    iptables -I INPUT 1 -i eth0 -p tcp --dport 6060 -j ACCEPT

    But I opened ports with this method:
    iptables -I INPUT -p tcp --dport 6060 --syn -j ACCEPT
    iptables -I INPUT -p udp --dport 6060 -j ACCEPT

    I wonder, are these methods the same thing, both you offered us and I did?
     
  13. andreaschr

    andreaschr Support Team
    Staff Member 3CX Support

    Joined:
    Oct 26, 2015
    Messages:
    93
    Likes Received:
    6
    Hi ,
    Elvin Mammadov:

    the difference in the commands is that it opens the port only for the interface eth0.
    you also have specified --syn that you accept only packets with flags:FIN,SYN,RST,ACK/SYN for TCP.

    m_mellon:

    We have made this ISO as simple as possible so even clients with no experience with Linux can install it.
    If we include everything from full ISO it will be the same with just 2 extra commands.
    Please feel free to reach out to 3CX Support and explain them the issues you have.
     
  14. Elvin Mammadov

    Joined:
    Feb 3, 2017
    Messages:
    42
    Likes Received:
    1
    I have added this to iptables:
    1. iptables -I INPUT -p tcp --dport 5062 --syn -j ACCEPT
    2. iptables -I INPUT -p udp --dport 5062 -j ACCEPT
    3. iptables-save > /etc/iptables/rules.v4

    Everything is okay. I checked that this ports are open (http://www.yougetsignal.com/tools/open-ports/). We can call with our deskphones, and softphones on computers without any problem. But in our internal office WIFI, while calling somewhere, we can't hear each others voice. Is it because of added port styles above?
    1. How can I delete these added ports?
    2. How to turn off firewall in 3CX Linux Debian?
     
    #14 Elvin Mammadov, Mar 17, 2017
    Last edited: Mar 17, 2017
  15. andreaschr

    andreaschr Support Team
    Staff Member 3CX Support

    Joined:
    Oct 26, 2015
    Messages:
    93
    Likes Received:
    6
    Can you run the firewall checker of the PBX?
    Go to Management Console -> Dashboard -> Firewall Check

    Let me know what is the results
     
  16. Elvin Mammadov

    Joined:
    Feb 3, 2017
    Messages:
    42
    Likes Received:
    1
    I run firewall checker, everything is green.
    Then, just in case I changed sip port from 5062 to 5065 in 3CX network settings, but didn't add this port to iptables in Linux. Then I tested calls to outside via WIFI, I began to hear voices.
    Could you please help me how to change current port to another port in iptables? I know how to do it in Windows Firewall, but Linux is different. If it is not possible, do I have to delete current port and add 5065 port?

    I also want to mention that, by default --syn has been written for 5060,5061,5090 ports that accepts packets with flags:FIN,SYN,RST,ACK/SYN for TCP.
    I copied this from iptables.
    -A INPUT -p udp -m udp --dport 5062 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 5062 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
    -A INPUT -p tcp -m multiport --dports 80,443,5000,5001,5015,5060,5061,5090 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j ACCEPT
    -A INPUT -p udp -m multiport --dports 69,5060,5090,7000:9500 -j ACCEPT
     
Thread Status:
Not open for further replies.