fusionPBX를 실행하는 Debian 서버가 있는데 다음을 사용하여 설치했습니다.이것공식 스크립트. nginx를 사용하여 애플리케이션을 호스팅합니다. 동일한 시스템에서 실행되는 다른 서버를 지원하기 위해 nginx의 구성 파일에 다른 서버(Django)를 추가해 보았습니다. 그래도 Django 서버에 접속할 수 없습니다.
다른 컴퓨터의 이 컴퓨터에 있는 nmap이 다음과 같이 말합니다.
$ nmap host_name
Host is up (0.00044s latency).
Not shown: 991 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
5000/tcp closed upnp
5060/tcp open sip
5061/tcp closed sip-tls
5080/tcp open onscreen
5087/tcp closed biotic
7443/tcp open oracleas-https
Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds
같은 머신의 nmap
# nmap localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-17 17:47 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000060s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
443/tcp open https
5432/tcp open postgresql
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8021/tcp open ftp-proxy
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
포트 8000을 열고 싶습니다. 여기에 iptables의 출력이 있습니다.
# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
sip-auth-fail all -- 0.0.0.0/0 0.0.0.0/0
sip-auth-ip all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "sipcli/" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "sipcli/" ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "pplsip" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "pplsip" ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "system " ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "system " ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "exec." ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "exec." ALGO name bm TO 65535 ICASE
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091 STRING match "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091 STRING match "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:5060:5091
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5091
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:16384:32768
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain sip-auth-fail (1 references)
target prot opt source destination
DROP all -- 128.90.90.74 0.0.0.0/0
DROP all -- 128.90.170.155 0.0.0.0/0
DROP all -- 128.90.170.172 0.0.0.0/0
DROP all -- 128.90.161.188 0.0.0.0/0
DROP all -- 128.90.168.31 0.0.0.0/0
DROP all -- 128.90.140.253 0.0.0.0/0
DROP all -- 128.90.170.116 0.0.0.0/0
DROP all -- 128.90.90.7 0.0.0.0/0
Chain sip-auth-ip (1 references)
target prot opt source destination
DROP all -- 128.90.62.144 0.0.0.0/0
DROP all -- 128.90.90.74 0.0.0.0/0
DROP all -- 128.90.170.155 0.0.0.0/0
DROP all -- 128.90.170.172 0.0.0.0/0
DROP all -- 128.90.64.207 0.0.0.0/0
DROP all -- 128.90.168.101 0.0.0.0/0
DROP all -- 128.90.170.65 0.0.0.0/0
DROP all -- 103.27.227.165 0.0.0.0/0
DROP all -- 128.90.172.177 0.0.0.0/0
DROP all -- 128.90.161.188 0.0.0.0/0
DROP all -- 128.90.109.237 0.0.0.0/0
DROP all -- 128.90.79.193 0.0.0.0/0
DROP all -- 31.6.58.26 0.0.0.0/0
DROP all -- 128.90.112.152 0.0.0.0/0
DROP all -- 103.27.227.179 0.0.0.0/0
DROP all -- 128.90.168.31 0.0.0.0/0
DROP all -- 128.90.140.253 0.0.0.0/0
DROP all -- 45.254.247.122 0.0.0.0/0
DROP all -- 128.90.170.116 0.0.0.0/0
DROP all -- 128.90.90.7 0.0.0.0/0
기본적으로 nginx를 실행하고 있습니다. 기본 구성은 다음과 같습니다.
server {
listen 127.0.0.1:80;
server_name 127.0.0.1;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 80M;
client_body_buffer_size 128k;
location / {
root /var/www/fusionpbx;
index index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}
server {
listen 80;
server_name fusionpbx;
#redirect letsencrypt to dehydrated
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}
#rewrite rule - send to https with an exception for provisioning
if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) {
rewrite ^(.*) https://$host$1 permanent;
break;
}
#REST api
if ($uri ~* ^.*/api/.*$) {
rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
break;
}
#algo
rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
#mitel
rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
#grandstream
rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
#grandstream-wave softphone by ext because Android doesn't pass MAC.
rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;
#aastra
rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
#yealink
#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
#polycom
rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";
#cisco
rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml;
#Escene
rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;
#Vtech
rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;
#Digium
rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";
#Snom
rewrite "^.*/provision/-([A-Fa-f0-9]{12})?$" /app/provision/index.php?mac=$1;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 80M;
client_body_buffer_size 128k;
location / {
root /var/www/fusionpbx;
index index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}
server {
listen 443 ssl;
#listen 443 ssl http2;
server_name fusionpbx;
ssl_certificate /etc/ssl/certs/nginx.crt;
ssl_certificate_key /etc/ssl/private/nginx.key;
#ssl_protocols TLSv1.2 TLSv1.3;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers DHE-RSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:40m;
ssl_session_timeout 2h;
ssl_session_tickets off;
#redirect letsencrypt to dehydrated
location ^~ /.well-known/acme-challenge {
default_type "text/plain";
auth_basic "off";
alias /var/www/dehydrated;
}
#REST api
if ($uri ~* ^.*/api/.*$) {
rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
break;
}
#message media
rewrite "^/app/messages/media/(.*)/(.*)" /app/messages/message_media.php?id=$1&action=download last;
#algo
rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;
#mitel
rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;
#grandstream
rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
#grandstream-wave softphone by ext because Android doesn't pass MAC.
rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;
#aastra
rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
#rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;
#yealink
#rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;
#polycom
rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
#rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";
#cisco
rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml;
#Escene
rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$" "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$" "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;
#Vtech
rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;
#Digium
rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
client_max_body_size 80M;
client_body_buffer_size 128k;
location / {
root /var/www/fusionpbx;
index index.php;
}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Allow the upgrade routines to run longer than normal
location = /core/upgrade/index.php {
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 15m;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
}
# Disable viewing .htaccess & .htpassword & .db & .git
location ~ .htaccess {
deny all;
}
location ~ .htpassword {
deny all;
}
location ~^.+.(db)$ {
deny all;
}
location ~ /\.git {
deny all;
}
location ~ /\.lua {
deny all;
}
location ~ /\. {
deny all;
}
}
내가 추가한 블록
server {
listen 8000;
server_name 'my_server ip';
location = /favicon.ico { access_log off; log_not_found off; }
location /static/ {
root /home/freeswitch/freeswitch_api/django_api;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/freeswitch/freeswitch_api/django_api/django_api.sock;
}
}
설치 중에 fusionPBX 스크립트는 몇 가지 명령을 실행하여 iptables를 설정합니다. 스크립트는 다음과 같습니다.
#!/bin/sh
#move to script directory so all relative paths work
cd "$(dirname "$0")"
#add the includes
. ./config.sh
. ./colors.sh
. ./environment.sh
#send a message
verbose "Configuring IPTables"
#defaults to nftables by default this enables iptables
if [ ."$os_codename" = ."buster" ]; then
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
if [ ."$os_codename" = ."bullseye" ]; then
apt-get install -y iptables
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
#remove ufw
ufw reset
ufw disable
apt-get remove -y ufw
#apt-get purge ufw
#run iptables commands
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46
iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#answer the questions for iptables persistent
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get install -y iptables-persistent
그런 다음 포트 8000을 열려고 다음 명령을 실행했습니다.
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
내 netstat 출력은 다음과 같습니다.
# sudo netstat -tulpn
sudo: unable to resolve host debian-1cpu-1gb-de-fra1: Name or service not known
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:43171 0.0.0.0:* LISTEN 1123/node
tcp 0 0 94.237.97.9:5060 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 94.237.97.9:5066 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2929/nginx: master
tcp 0 0 94.237.97.9:7443 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 127.0.0.1:8021 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 528/sshd: /usr/sbin
tcp 0 0 127.0.0.1:35223 0.0.0.0:* LISTEN 1000/node
tcp 0 0 94.237.97.9:5080 0.0.0.0:* LISTEN 1193/freeswitch
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 541/postgres
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 878/exim4
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2929/nginx: master
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 2929/nginx: master
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN 2176/python
tcp6 0 0 2a04:3542:1000:910:5060 :::* LISTEN 1193/freeswitch
tcp6 0 0 :::22 :::* LISTEN 528/sshd: /usr/sbin
tcp6 0 0 ::1:5432 :::* LISTEN 541/postgres
tcp6 0 0 ::1:25 :::* LISTEN 878/exim4
udp 0 0 0.0.0.0:68 0.0.0.0:* 476/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 443/dhclient
udp 0 0 0.0.0.0:161 0.0.0.0:* 525/snmpd
udp 0 0 94.237.97.9:5060 0.0.0.0:* 1193/freeswitch
udp 0 0 94.237.97.9:5080 0.0.0.0:* 1193/freeswitch
udp6 0 0 2a04:3542:1000:910:5060 :::* 1193/freeswitch
여전히 운이 좋지 않습니다. 다른 우분투 서버에서 동일한 구성을 사용하고 작동하므로 nginx 구성이 정확해야 합니다. 내가 도대체 뭘 잘못하고있는 겁니까?
답변1
문제를 해결했습니다. 같은 문제를 겪을 수 있는 사람을 위해 여기에 해결책을 남겨 두겠습니다. 사실 아주 간단했습니다. FsuionPBX 설치 방법과 iptables 구성 방법을 살펴보았습니다. 스크립트는 다음과 같습니다.
#!/bin/sh
#move to script directory so all relative paths work
cd "$(dirname "$0")"
#add the includes
. ./config.sh
. ./colors.sh
. ./environment.sh
#send a message
verbose "Configuring IPTables"
#defaults to nftables by default this enables iptables
if [ ."$os_codename" = ."buster" ]; then
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
if [ ."$os_codename" = ."bullseye" ]; then
apt-get install -y iptables
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
#remove ufw
ufw reset
ufw disable
apt-get remove -y ufw
#apt-get purge ufw
#run iptables commands
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46
iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#answer the questions for iptables persistent
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
apt-get install -y iptables-persistent
이제 다른 포트를 열려면 iptable 명령을 실행하기만 하면 됩니다.
iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
다음을 사용하여 규칙을 저장합니다.
sudo /sbin/iptables-save > /etc/iptables/rules.v4
루트로 실행해야 합니다. 그렇지 않으면 권한 거부 오류가 발생합니다.
권한 오류가 발생하는 경우 sudo su -규칙을 저장하기 전에 실행하는 것이 좋습니다.