Archive

Archive for November, 2007

1:1 NAT (SNAT) with IPCop or other IPTables firewalls.

November 27, 2007 Leave a comment

This could be needed for any number of reasons, but I needed to do this to have two trixbox Pro servers live next to each other on the same LAN behind an IPCop firewall. They were reporting back the same IP address to the hybrid hosting source, so inbound connections to both were routing to the one server. Normally this is remedied manually by changing the externip in sip.conf, but that is set automatically with trixbox pro, and not an option.

You need to log into the firewall at the console or via ssh. You need to comment out one line to disable masquerading, and add a few more in its place:

nano /etc/rc.d/rc.firewall

#Individual machine on GREEN
/sbin/iptables -t nat -A POSTROUTING -s 10.0.1.99 -j SNAT --to-source 1.2.3.5
#all other machines on GREEN
/sbin/iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -j SNAT --to-source 1.2.3.4
#all other machines on ORANGE
/sbin/iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j SNAT --to-source 1.2.3.4
#DISABLE MASQUERADE
# /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE

Advertisements

TFTP through IPCOP or other iptables firewalls

November 25, 2007 1 comment

TFTP uses UDP packets. The client connects from a random port to port 69, then the server connects back to the original port. This does not survive NAT (network address translation), possibly not on either end. trixbox pro and many other phone systems use TFTP for provisioning phones, so this is a problem for remote phones. Here is a fix that allows tftp traffic through an iptables based firewall (IPCop in this example).

You will need to enable ssh on the firewall and connect a session. IPCop uses non-standard port 222, and can usually only be connected to from the internal (green) network.

nano /etc/rc.d/rc.network

add these two lines:
modprobe ip_conntrack_tftp
modprobe ip_nat_tftp

Save and exit.

For immediate effect, repeat the two lines at the command prompt, or reboot the firewall. I had to repeat this on both firewalls, as IPCop firewalls were on both ends.

If using trixbox pro, you also need to make a few minor changes to the configuration files for the phones in order for the phone to try the correct server. Change the sNNNN.trixbox.fonality.com settings to sNNNNx.trixbox.fonality.com where NNNN is your server number. I modified the file itself. Fonality recommends modifying the phone config on the phone once it is initially configured.

How To Install VMware-server-1.0.4 on Ubuntu Feisty Server

November 13, 2007 Leave a comment

I found many great tutorials and howto’s but had to use several combinations before I ended up with a perfect installation of VMware 1.0.4 on my Feisty Server build. This will hopefully help the next troubled soul.

Lets assume this is a fresh new Feisty Server install and you’ve run all the necessary updates.

Next you’ll need to install a few things from a command line:

First off you’ll want to find out what version you have…

sudo uname -r

sudo aptitude install linux-headers-‘uname version here’

(Note: If you are using a 64 bit OS you may need to download the i386 version as well to help support the VMware package.)

sudo aptitude install libx11-6 libx11-dev libxtst6 xlibs-dev

sudo aptitude install gcc binutils-doc cpp-doc make manpages-dev autoconf automake1.9 libtool flex bison gdb gcc-doc

After I installed these I followed the rest of this tutorial and the setup went smoothly.

Categories: DIY

Ubuntu Network Manager and openvpn

November 8, 2007 1 comment

This worked perfectly with my Ubuntu 7.10 Gutsy Gibbon laptop. I installed the network-manager-openvpn package. I used the file I created from the openvpn ipcop page, and pulled the necessary files out of the .p12 file.

cd <path to .p12 file>
sudo su
aptitude install network-manager-openvpn
openssl pkcs12 -nocerts -in default.p12 -out userkey.pem
openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem
openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem

MYHREN.ORG » Networkmanager and openvpn

Powered by ScribeFire.

Categories: ipcop, linux, networking, ubuntu

OpenVPN tunnel with OSX and IPCop

November 8, 2007 Leave a comment

IPCop with a plugin from Zerina and OSX software client Tunnelblick. Tunnelblick 3.0B4 works well with ZERINA-0.9.7a10. Note: the newer version of Tunnelblick would crash on a G3 iBook running Mac OS X v 10.4.1.

I followed the directions at this site and it worked easily.

Categories: ipcop, networking, OSX

Hot backup setup for trixbox Pro

November 1, 2007 1 comment

Trixbox Hot Backup – servers need identical telephony hardware or this will not work.

On backup server:
Install trixbox pro, and activate it

ssh-keygen -t rsa
<enter>
<enter>
<enter>
scp ~/.ssh/id_rsa.pub root@server1-IP:.ssh/authorized_keys
(Now you can scp/ssh/rsync without password)

nano trixboxbackup.sh
rsync -aq –delete root@server1-IP:/etc/asterisk /etc
rsync -aq –delete root@server1-IP:/var/lib/asterisk/sounds /var/lib/asterisk
rsync -aq –delete root@server1-IP:/var/lib/asterisk/mohmp3 /var/lib/asterisk
rsync -aq –delete root@server1-IP:/var/spool/asterisk/voicemail /var/spool/asterisk
rsync -aq –delete root@server1-IP:/var/spool/asterisk/monitor /var/spool/asterisk
rsync -aq –delete root@server1-IP:/tftpboot/ /tftpboot
rsync -aq –delete root@server1-IP:/etc/wanpipe /etc

ctrl-x y, to close and save
chmod 777 trixboxbackup.sh

nano /etc/crontab
add these lines:
00 * * * * root /root/trixboxbackup.sh
30 * * * * root /root/trixboxbackup.sh

It should now replace the contents of those directories on the hot backup server with the contents of the directories on the production server. It will happen silently, every 30 minutes. That can be adjusted to suit.

In case there is a serious problem with server1:

Power it off
Move PRI cables to same ports on backup server
change IP of backup server to IP of server1
Reboot backup server
Reboot phones. If connected to POE switch, simply power cycle POE switch.

The only problem is if you are using voip trunks on server1. The two servers could compete for the same voip registration. The backup server should be blocked at the firewall in this case.

Categories: linux