This is done with following dialplan "(xx.<:@gw0>|<#9,:>xx.)"
If a call from PSTN is not answered within 20 sec the call should be redirected via voip (see CFNA Solution).
Because my SPA-3102 is behind a firewall i use it as a bridge.
Firewall
modprobe ip_conntrack_sip ports=9060; modprobe ip_nat_sip
iptables -A FORWARD -p udp --dport 9060 -m state --state NEW,ESTABLISHED -j ACCEPT
With this settings i don't need "NAT Keep Alive" and Register every 3600 sec (1 hour) is ok.
Usually udp connectiontracking has a timeout of 180 sec, but ip_conntrack_sip reads the sip content and set the timeout (3600).
My Settings
WAN
Connection Type: DHCP
Enable WAN Web Server: yes
Lan Setup
Networking Service: Bridge
Enable DHCP Server: no
SIP
RFC 2543 Call Hold: no
RTP Port Min: 9000
RTP Port Max: 9059
Provisioning
Provision Enable: no
Upgrade Enable: no
Regional
Ring1 Cadence: 60(1/4)
Ring Waveform: Sinusoid
Ring Frequency: 50
Ring Voltage: 60
CWT Frequency: 420@-20
FXS Port Impedance: 270 + (750 || 150nF)
Caller ID Method: ETSI FSK
Caller ID FSK Standard: v.23
Line 1
Make Call Without Reg: Yes (if no network connected)
Proxy: 1.2.3.4:9060
User ID: sipuid
Password: xxxx
Preferred Codec: G729a
G7* Enable: no
Dial Plan: (xx.<:@gw0>|<#9,:>xx.)
PSTN Line
Make Call Without Reg: Yes
User ID: sipuid
Password: xxxx
Preferred Codec: G729a
G7* Enable: no
PSTN CID For VoIP CID: Yes
medium Min CPC Duration: 0.25
Disconnect Tone: 440@-30,440@-30;2(0.4/0.4/1+2)
FXO Port Impedance: 270 + (750 || 150nF)
On-Hook Speed: 3ms
Line-In-Use Voltage: 25
Current Limiting Enable: Yes
Ring Validation Time: 150 ms
Ring Indication Delay: 0
Ring Timeout: 650 ms
Without this "Ring Timings" after "PSTN Ring Timeout" the call to Line 1 got CANCELED also immediately the following call to VOIP (don't know why - saw it in traces to syslog).
With "PSTN Ring Timeout: 20" i also saw no cancel but that's a dirty workaround for me (better are a correct "Ring Timings").
Enable Traces
System
Syslog Server: 1.2.3.4
Debug Server: 1.2.3.4
Debug Level: 3
Line 1 / PSTN Line
SIP Debug Option: full
CFNA Solution 1:
User 1
Cfwd No Ans Dest: 12345678
Cfwd No Ans Delay: 20
PSTN Line
PSTN Answer Delay: 40 (20 sec Line 1 and 20 sec voip => after that forced hangup)
disable via phone with *93
enable via phone with *92[Number as dialed via dialplan(use #9 for voip)]
Drawback:
* after disabling with *93 the number is deleted
* enable with *92#9NUMBER (without #9 PSTN is used according to Dialplan (xx.<:@gw0>|<#9,:>xx.) it would be NUMBER@gw0)
* only G711 Codec supported (because PSTN calls Line 1 and then only G711 seams to be supported)
CFNA Solution 2:
PSTN Line
Dial Plan 8: (S0<:12345678@1.2.3.4:9060>)
PSTN Caller Default DP: 8
PSTN Answer Delay: 20
Drawback: you cannot dis/en-able via phone
CFNA Solution 3:
Use a local asterisk where you can connect sip clients rinnging at the same time when a call arrives on the SPA-3102
[ view entry ] ( 1184 views ) | print article
I want to rsync on my local-host via ssh from a remote host without a ssh enabled root account but full access to the whole filesystem.
local-host:
ssh-keygen -t rsacopy ~/.ssh/id_dsa.pub to remote-host:/home/rsyncuser/.ssh/authorized_keys
rsync files with ssh:
rsync -vaHxr --numeric-ids --delete --rsync-path=rsync_wrapper.sh \
-e "ssh -c arcfour -o Compression=no -x" \
rsyncuser@remote-host:REMOTEDIR LOCALDIR
remote-host (source of files to rsync):
groupadd -g 3001 rsyncuser/home/rsyncuser/.ssh/authorized_keys:
useradd -u 3001 -g rsyncuser -s /bin/bash -m rsyncuser
from="192.168.0.2,",command="/home/rsyncuser/validate-rsync.sh"limit access with from (optional).
ssh-dss 012345678...
On sucessfully ssh login command is executed.
/home/rsyncuser/validate-rsync.sh:
#!/bin/sh/usr/bin/rsync_wrapper.sh:
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo “Rejected”
;;
*\;*)
echo “Rejected”
;;
*\(*)
echo “Rejected”
;;
*\{*)
echo “Rejected”
;;
*\<*)
echo “Rejected”
;;
*\`*)
echo “Rejected”
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
#!/bin/sh/etc/sudoers:
/usr/bin/sudo /usr/bin/rsync "$@";
rsyncuser ALL = NOPASSWD: /usr/bin/rsync
[ view entry ] ( 831 views ) | print article
dnssec-keygen -a RSAMD5 -b 1024 -n HOST -k -r /dev/urandom home.domain.org
put content of XXX.key into your zonefile
move xxx.key and xxx.private to your client with sftp
/etc/ppp/ip-up.d/ip_update:
#!/bin/sh
TTL=60
SERVER='NAMESERVER'
ZONE='DOMAIN'
HOSTNAME='HOSTNAME.DOMAIN'
KEYFILE='PATH/KEYFILENAME without endings (.key)'
[ -n "$PPP_LOCAL" ] || exit 0
logger "ip_update: Updating dynamic IP $PPP_LOCAL on $SERVER"
RESULT=$(nsupdate -v -k $KEYFILE 2>&1 << EOF
server $SERVER
zone $ZONE
update delete $HOSTNAME A
update add $HOSTNAME $TTL A $PPP_LOCAL
send
EOF)
RC=$?
[ $RC != 0 ] && \
logger "ip_update $PPP_LOCAL on $SERVER failed ($RC/$RESULT)"
exit $RC
Manual update a zonefile with bind 9.3:
rndc freeze zone
edit the zone
rndc unfreeze zone
References:
secure-ddns-howto
running-a-secure-ddns-service-with-bind
[ view entry ] ( 587 views ) | print article
* chrooted
* chaos, internal and external zone
* TSIG updates/zonetransfers for master/slave
apt-get install bind9
/etc/init.d/bind9 stop
/etc/default/bind9: OPTIONS="-u bind -t /var/lib/named"
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mkdir -p /var/lib/named/var/log
cp /etc/localtime /var/lib/named/etc
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
/etc/default/syslogd: SYSLOGD="-a /var/lib/named/dev/log"
dnssec-keygen -a hmac-md5 -b 512 -n host linux.lan
/etc/bind/named.conf on master AND slave:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
/etc/bind/named.conf.options on master AND slave:
acl "internal" { 192.168.0.2; 127.0.0.1; };
acl "trusted" { internal; };
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
46.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
192.0.2.0/24;
! 192.168.0.2; 192.168.0.0/16;
197.0.0.0/8;
198.18.0.0/15;
223.0.0.0/8;
224.0.0.0/3;
};
logging {
channel default_syslog {
// Send most of the named messages to syslog.
syslog local2;
severity info;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/log/named.log" versions 5 size 20m;
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { default_syslog; };
category lame-servers { audit_log; };
};
key "masterslave" {
algorithm hmac-md5;
secret "---HASHKEY---";
};
server IP_OF_OTHER_SIDE(/etc/bind/slave) {
keys {
masterslave;
};
};
options {
directory "/var/cache/bind";
statistics-file "/var/log/named.stats";
memstatistics-file "/var/log/named.memstats";
dump-file "/var/log/named.dump";
zone-statistics yes;
// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;
// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interface state {UP|DOWN}.
interface-interval 0;
allow-transfer { key masterslave; };
// rndc reload won't work because of dynamic updates enabled with
// allow-update { key masterslave; };
allow-recursion { trusted; };
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
allow-query-cache {
// Accept queries of our cache from our "trusted" ACL.
trusted;
};
blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
//disabled for random prorts query-source address * port 53;
transfer-source * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
PROVIDER_DNS1;
PROVIDER_DNS2;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
master:
/etc/bind/master_linux.lan
$TTL 3D
@ IN SOA ns1.linux.lan. hostmaster.linux.lan. (
200710131 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
TXT "Linux.LAN, serving YOUR domain :)"
NS ns1 ; Inet Address of name server
NS ns2
MX 10 mail ; Primary Mail Exchanger
localhost A 127.0.0.1
ns1 A MASTER_IP
ns2 A SLAVE_IP
mail A MAIL_IP
/etc/bind/named.conf.local
zone "linux.lan" {
type master;
file "/etc/bind/master_linux.lan";
};
slave:
/etc/bind/named.conf.local:
zone "linux.lan" {
type slave;
file "/etc/bind/slave_linux.lan";
masters { MASTER_IP; };
allow-notify { key masterslave; };
};
rndc-confgen > /etc/rndc.conf
copy parts to /etc/bind/named.conf.options on master AND slave:
key "rndc-key" {
algorithm hmac-md5;
secret "---HASHKEY---";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
master:
/etc/bind/named.conf.local
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "/etc/bind/db.bind";
allow-query { trusted; };
allow-transfer { none; };
};
allow-recursion { none; };
};
view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { internal; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
include "/etc/bind/zones.rfc1918";
zone "internal.ournetwork.com" in {
// Our internal A RR zone. There may be several of these.
type master;
file "/etc/bind/db.internal";
};
zone "7.7.7.in-addr.arpa" in {
// Our internal PTR RR zone. Again, there may be several of these.
type master;
file "/etc/bind/db.7.7.7";
};
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
allow-recursion { none; };
include "/etc/bind/zones.rfc1918";
include "/etc/bind/zones.local";
};
master and slave /etc/bind/zones.local:
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "ournetwork.net" in {
type master;
file "/etc/bind/db.ournetwork";
allow-query { any; };
};
zone "8.8.8.in-addr.arpa" in {
type master;
file "/etc/bind/db.8.8.8";
allow-query { any; };
};
master and slave /etc/bind/db.bind:
$TTL 1D
$ORIGIN bind.
@ 1D CHAOS SOA localhost. root.localhost. (
2001013101 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.
version.bind. CHAOS TXT "BIND 9.1.3+robhacks"
authors.bind. CHAOS TXT "are better coders than I. :)"
slave:
/etc/bind/named.conf.local
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "/etc/bind/db.bind";
allow-query { trusted; };
allow-transfer { none; };
};
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
include "/etc/bind/zones.local";
include "/etc/bind/zones.rfc1918";
zone "ournetwork.net" in {
type slave;
file "/etc/bind/db.ournetwork";
allow-query { any; };
masters { MASTER_IP; };
};
zone "8.8.8.in-addr.arpa" in {
type slave;
file "/etc/bind/db.8.8.8";
allow-query { any; };
masters { MASTER_IP; };
};
};
References:
secure-bind-template
Bind9 Administration
bin9 hardening
[ view entry ] ( 822 views ) | print article
Linux connected via two networkcards to two different providers.
You coud use source based routing or if you prefere to route some ports only to on provider
here is my solution. Usefull for a private VOIP-Provider having two links and uses one link for RTP and the other for SIP.
RTP_IF="eth0"
RTP_GW_IP="10.0.1.1"
iptables -F -t mangle
# mark incomming unmarked connection
iptables -t mangle -A PREROUTING -i $RTP_IF -m connmark ! --mark 1 -j CONNMARK --set-mark 0x1
# This is the most important rule for marked incomming and marked outgoing connections to set packet MARK for routing
iptables -t mangle -A OUTPUT -m connmark --mark 1 -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -m mark --mark 0x1 -j ACCEPT
# mark outgoing connection and packet (my RTP Ports)
iptables -t mangle -A OUTPUT -p udp --sport 5000:5058 -m connmark ! --mark 1 -j CONNMARK --set-mark 0x1
iptables -t mangle -A OUTPUT -p udp --sport 5000:5058 -m connmark --mark 1 -j MARK --set-mark 0x1
ip route flush table 1
ip route add default dev $RTP_IF via $RTP_GW_IP table 1
ip rule del fwmark 1 table 1
ip rule add fwmark 1 table 1
ip route flush cache
[ view entry ] ( 926 views ) | print article
<<First <Back | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | Next> Last>>