dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
510
iamhere
join:2013-01-26
canada

iamhere

Member

[PBX] Port Knocking PBX from Router

I've recently setup a PBX in the cloud and everything works fine. I've locked down the system and I've been using pork knocking to enable access for my voip phones.

Problem is, my IP changes occasionally (not very often but it happens). I would like to automate the pork knocking process from my router whenever my IP changes (or likely every 5 minutes).

Anyone know of a command available on a tomato by shibby router that will knock a given port number?

Thanks!
Stewart
join:2005-07-13

Stewart

Member

How often does your IP change?

If the IP address changes as a result of the modem losing sync, any calls in progress will be dropped, even if you fix the firewall issue.

If line noise at your location is causing sync loss, fix your wiring / filter setup. If the trouble is in the outside plant, get your ISP to fix it.

With proper setup, a brief sync loss should not result in an IP address change. The modem should be set as a dumb bridge, with PPPoE (or whatever your ISP uses) done in the router.

If your knocking scheme will work with TCP, Tomato already has a built-in netcat. If you need UDP, you could build one or modify busybox. »www.linuxquestions.org/q ··· -942766/

If you have a constantly running PC, Mac or Linux box at your location, you could run a knocking script there.

Or, you could run a script on the PBX. For example, when your phones get flagged as unreachable (or periodically), it would check the dynamic DNS name of your phones and update iptables accordingly.
iamhere
join:2013-01-26
canada

iamhere

Member

The IP changes maybe once or twice a month. Usually as a result of Bell Canada (not my provider but it's their infrastructure) doing some maintenance affecting my DSL.

My modem is in bridge mode with everything handled by my Asus running the latest Tomato by Shibby.

I'll look into using netcat, I'm currently playing with wget to see if I can get that going.

I have a few boxes that are always on behind the router but I'm just trying to eliminate as many points of failure as possible. With Murphy's Law at work, this thing will go down on a weekend when I'm away and my wife will be stuck without a phone... not a good prospect. She knows if the "internet" is down the phone won't work but I'm trying to make sure that when the "internet" is up the phones will work.

My old setup has the PBX running on a beaglebone and that's been flawless. The new setup will allow us to receive voicemails even if our internet is down.
Stewart
join:2005-07-13

Stewart

Member

Assuming that the dynamic DNS client on your Tomato works reliably, I'd think that a script on the PBX would be most reliable, because if that's down you're SOL anyhow.

However, if the knock receiver can deal with TCP, then wget should also be fine. Ideally, you want the knocked ports "closed" rather than "filtered", i.e. it replies to incoming SYN with RST. Otherwise, each wget will retry for a long time before it fails and you'll have to adjust the receiving timers to allow for that.

If you have trouble getting a knock script running on Tomato, you might run it on two PCs that are always up, taking care that they don't interfere with each other.
iamhere
join:2013-01-26
canada

iamhere

Member

Thanks for the help!!

I believe I got it going with nc... couldn't get it to work reliably with wget.

I'll keep an eye on things over the next few hours / days to make sure it continues to work.
Stewart
join:2005-07-13

Stewart

Member

If you unplug the phone line from your modem for longer than the PPP keepalive timeout (2 minutes should be enough), then when you plug it back in, the router should get a new IP address and you can see if it knocks properly.
iamhere
join:2013-01-26
canada

iamhere

Member

Just reviewed by logs and it's all good.

In case someone else wants to do it this way, this is the command I put into my scheduler on the router;

nc -i2 -w3 server.ip.address port#1
nc -i2 -w3 server.ip.address port#2
nc -i2 -w3 server.ip.address port#3
iamhere

iamhere

Member

Thought I would post an update, now that it's been a few months since I've implemented this.

It works well but isn't bullet proof. In the last few weeks I had an instance where the port knocking from the router to the server stopped working and it took me a couple of days to notice. The phone still mostly worked so we didn't notice until I had to investigate the issues.

In response to this, I wrote a server side script that checks to ensure the client IP is listed in the iptables. When it goes missing, the script adds it and sends me an e-mail to investigate.

Both methods together should add another layer of reliabilty and let me know when I'm having issues.