skip to Main Content

I have a Debian server running fusionPBX, I installed it using this official script. It uses nginx to host the application, I tried adding another server (Django) in the config file of nginx to support another server that’s running on the same machine. Still, I can’t access the Django server.

I tried opening port 8000 using the command sudo ufw allow 8000

When I use Nmap from another machine to this FusionPBX server I do see the ports.

$ nmap ipaddrress
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-16 20:54 UTC
Nmap scan report for ipaddrress.de-fra1.upcloud.host (ipaddrress)
Host is up (0.00015s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
5060/tcp open  sip
5080/tcp open  onscreen
7443/tcp open  oracleas-https
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Even if I start the server using the normal command python manage.py runserver 0.0.0.0:8000 or
python manage.py runserver 127.0.0.1:8000 It doesn’t work.

In Ubuntu, all I have to do is sudo ufw allow 8000 and then python manage.py runserver 0.0.0.0:8000 and it works as expected.

python manage.py runserver 0.0.0.0:8000 this is how we start a django server, where 0.0.0.0 is the IP and 8000 is the port. just in case anyone is confused 🙂

My Nginx config

server {
    listen 127.0.0.1:80;
    server_name 127.0.0.1;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    client_max_body_size 80M;
    client_body_buffer_size 128k;

    location / {
        root /var/www/fusionpbx;
        index index.php;
    }

    location ~ .php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Allow the upgrade routines to run longer than normal
    location = /core/upgrade/index.php {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Disable viewing .htaccess & .htpassword & .db & .git
    location ~ .htaccess {
        deny all;
    }
    location ~ .htpassword {
        deny all;
    }
    location ~^.+.(db)$ {
        deny all;
    }
    location ~ /.git {
        deny all;
    }
    location ~ /.lua {
        deny all;
    }
    location ~ /. {
        deny all;
    }
}

server {
    listen 80;
    server_name fusionpbx;

    #redirect letsencrypt to dehydrated
    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        auth_basic "off";
        alias /var/www/dehydrated;
    }

    #rewrite rule - send to https with an exception for provisioning
    if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) {
        rewrite ^(.*) https://$host$1 permanent;
        break;
    }

    #REST api
    if ($uri ~* ^.*/api/.*$) {
        rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
        break;
    }

    #algo
    rewrite "^.*/provision/algom([A-Fa-f0-9]{12}).conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

    #mitel
    rewrite "^.*/provision/MN_([A-Fa-f0-9]{12}).cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
    rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

    #grandstream
    rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(.(xml|cfg))?$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook.xml$" /app/provision/?mac=$1&file=phonebook.xml;
    rewrite "^.*/provision/(phonebook.xml)?$" /app/provision/index.php?file=$1 last;
    #grandstream-wave softphone by ext because Android doesn't pass MAC.
    rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

    #aastra
    rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
    #rewrite "^.*/provision/([A-Fa-f0-9]{12})(.(cfg))?$" /app/provision/?mac=$1 last;

    #yealink
    #rewrite "^.*/provision/(y[0-9]{12})(.cfg|.boot)?$" /app/provision/index.php?file=$1$2;
    rewrite "^.*/provision/(y[0-9]{12})(.cfg)?$" /app/provision/index.php?file=$1.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})(.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

    #polycom
    rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
    #rewrite "^.*/provision/sip_330(.(ld))$" /includes/firmware/sip_330.$2;
    rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

    #cisco
    rewrite "^.*/provision/file/(.*.(xml|cfg))" /app/provision/?file=$1 last;
    rewrite "^.*/provision/directory.xml$" /app/provision/?file=directory.xml;

    #Escene
    rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
    rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

    #Vtech
    rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12}).cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory.xml$" /app/provision/?mac=$1&file=directory.xml;

    #Digium
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

    #Snom
    rewrite "^.*/provision/-([A-Fa-f0-9]{12})?$" /app/provision/index.php?mac=$1;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    client_max_body_size 80M;
    client_body_buffer_size 128k;

    location / {
        root /var/www/fusionpbx;
        index index.php;
    }

    location ~ .php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Allow the upgrade routines to run longer than normal
    location = /core/upgrade/index.php {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Disable viewing .htaccess & .htpassword & .db & .git
    location ~ .htaccess {
        deny all;
    }
    location ~ .htpassword {
        deny all;
    }
    location ~^.+.(db)$ {
        deny all;
    }
    location ~ /.git {
        deny all;
    }
    location ~ /.lua {
        deny all;
    }
    location ~ /. {
        deny all;
    }
}

server {
    listen 443 ssl;
    #listen 443 ssl http2;
    server_name fusionpbx;

    ssl_certificate         /etc/ssl/certs/nginx.crt;
    ssl_certificate_key     /etc/ssl/private/nginx.key;
    #ssl_protocols           TLSv1.2 TLSv1.3;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers             DHE-RSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache       shared:SSL:40m;
    ssl_session_timeout     2h;
    ssl_session_tickets     off;

    #redirect letsencrypt to dehydrated
    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        auth_basic "off";
        alias /var/www/dehydrated;
    }

    #REST api
    if ($uri ~* ^.*/api/.*$) {
        rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
        break;
    }

    #message media
    rewrite "^/app/messages/media/(.*)/(.*)" /app/messages/message_media.php?id=$1&action=download last;

    #algo
    rewrite "^.*/provision/algom([A-Fa-f0-9]{12}).conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

    #mitel
    rewrite "^.*/provision/MN_([A-Fa-f0-9]{12}).cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
    rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

    #grandstream
    rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(.(xml|cfg))?$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook.xml$" /app/provision/?mac=$1&file=phonebook.xml;
    rewrite "^.*/provision/(phonebook.xml)?$" /app/provision/index.php?file=$1 last;
    #grandstream-wave softphone by ext because Android doesn't pass MAC.
    rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

    #aastra
    rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
    #rewrite "^.*/provision/([A-Fa-f0-9]{12})(.(cfg))?$" /app/provision/?mac=$1 last;

    #yealink
    #rewrite "^.*/provision/(y[0-9]{12})(.cfg|.boot)?$" /app/provision/index.php?file=$1$2;
    rewrite "^.*/provision/(y[0-9]{12})(.cfg)?$" /app/provision/index.php?file=$1.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})(.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

    #polycom
    rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
    #rewrite "^.*/provision/sip_330(.(ld))$" /includes/firmware/sip_330.$2;
    rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

    #cisco
    rewrite "^.*/provision/file/(.*.(xml|cfg))" /app/provision/?file=$1 last;
    rewrite "^.*/provision/directory.xml$" /app/provision/?file=directory.xml;

    #Escene
    rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
    rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

    #Vtech
    rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12}).cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory.xml$" /app/provision/?mac=$1&file=directory.xml;

    #Digium
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    client_max_body_size 80M;
    client_body_buffer_size 128k;

    location / {
        root /var/www/fusionpbx;
        index index.php;
    }

    location ~ .php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Allow the upgrade routines to run longer than normal
    location = /core/upgrade/index.php {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Disable viewing .htaccess & .htpassword & .db & .git
    location ~ .htaccess {
        deny all;
    }
    location ~ .htpassword {
        deny all;
    }
    location ~^.+.(db)$ {
        deny all;
    }
    location ~ /.git {
        deny all;
    }
    location ~ /.lua {
        deny all;
    }
    location ~ /. {
        deny all;
    }
}

server {
    listen 8000;
    server_name 127.0.0.1 0.0.0.0 fusionpbx 94.237.97.9;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/freeswitch/freeswitch_api/django_api;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/freeswitch/freeswitch_api/django_api/django_api.sock;
    }
}

The block that I added

server {
    listen 8000;
    server_name (IP OF MY SERVER);

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/freeswitch/freeswitch_api/django_api;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/freeswitch/freeswitch_api/django_api/django_api.sock;
    }
}

Is FusionPBX blocking the connection in some way?

I don’t know what I’m missing, any help is appreciated.

UPDATE:

so I tried opening the port using iptables, here is what I did

sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT

sudo iptables-save

sudo service iptables restart

The Outputs

$ sudo iptables-save
sudo: unable to resolve host debian-1cpu-1gb-de-fra1: Name or service not known
# Generated by iptables-save v1.8.7 on Fri Dec 16 22:39:51 2022
*filter
:INPUT DROP [1:44]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [350:25243]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 16384:32768 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
COMMIT
# Completed on Fri Dec 16 22:39:51 2022
# Generated by iptables-save v1.8.7 on Fri Dec 16 22:39:51 2022
*mangle
:PREROUTING ACCEPT [8231:612573]
:INPUT ACCEPT [8231:612573]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8325:642913]
:POSTROUTING ACCEPT [8325:642913]
-A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 0x1a
-A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 0x1a
COMMIT
# Completed on Fri Dec 16 22:39:51 2022

sudo iptables -L

$ sudo iptables -L
sudo: unable to resolve host debian-1cpu-1gb-de-fra1: Name or service not known
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "sipcli/" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "sipcli/" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "pplsip" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "pplsip" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "system " ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "system " ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "exec." ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "exec." ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:sip:5091
ACCEPT     udp  --  anywhere             anywhere             udp dpts:sip:5091
ACCEPT     udp  --  anywhere             anywhere             udp dpts:16384:32768
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

sudo iptables -S

$sudo iptables -S
sudo: unable to resolve host debian-1cpu-1gb-de-fra1: Name or service not known
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 16384:32768 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT

netstat

$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:44653         0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 94.237.97.9:7443        0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8021          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 94.237.97.9:5080        0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      8542/python         
tcp        0      0 94.237.97.9:5060        0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:4040          0.0.0.0:*               LISTEN      7759/./ngrok        
tcp        0      0 94.237.97.9:5066        0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:45931         0.0.0.0:*               LISTEN      1346/node           
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:5432                :::*                    LISTEN      -                   
tcp6       0      0 ::1:25                  :::*                    LISTEN      -                   
tcp6       0      0 2a04:3542:1000:910:5060 :::*                    LISTEN      -                   
udp        0      0 94.237.97.9:5080        0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:161             0.0.0.0:*                           -                   
udp        0      0 94.237.97.9:5060        0.0.0.0:*                           -                   
udp6       0      0 2a04:3542:1000:910:5060 :::*                                -

2

Answers


  1. Chosen as BEST ANSWER

    I solved the problem. I'll leave the solution here for anyone who may come across the same. Actually, it was quite simple. I examined how FsuionPBX was installed and how they configured the iptables. Here's the script.

    #!/bin/sh
    
    #move to script directory so all relative paths work
    cd "$(dirname "$0")"
    
    
    #add the includes
    . ./config.sh
    . ./colors.sh
    . ./environment.sh
    
    #send a message
    verbose "Configuring IPTables"
    
    #defaults to nftables by default this enables iptables
    if [ ."$os_codename" = ."buster" ]; then
        update-alternatives --set iptables /usr/sbin/iptables-legacy
        update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
    fi
    if [ ."$os_codename" = ."bullseye" ]; then
        apt-get install -y iptables
        update-alternatives --set iptables /usr/sbin/iptables-legacy
        update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
    fi
    
    #remove ufw
    ufw reset
    ufw disable
    apt-get remove -y ufw
    #apt-get purge ufw
    
    #run iptables commands
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
    iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
    iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
    iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A INPUT -p udp --dport 1194 -j ACCEPT
    iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46
    iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26
    iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    #answer the questions for iptables persistent
    echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
    echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
    apt-get install -y iptables-persistent
    

    Now to open another port all I had to do was run the iptable command

    iptables -A INPUT -p tcp --dport 8000 -j ACCEPT

    and save the rules using

    sudo /sbin/iptables-save > /etc/iptables/rules.v4

    make sure to run it as root or you'll get the permission denied error.

    In case you get the permission error you might want to run sudo su - before saving the rules.


  2. Make sure that the Django server is running and listening on the correct IP address and port. You can check this by running the following command: netstat -tulpn

    Check the logs of both the Django server and the nginx server for any error messages or clues about what might be causing the issue.

    Verify that the nginx configuration file you added for the Django server is correct. Make sure that the server block is correctly configured to proxy requests to the Django server, and that the server block is enabled by including it in the http block.

    Make sure that there are no firewall rules or other security measures in place that might be blocking access to the Django server.

    I hope these suggestions help you get your Django server working with your FusionPBX installation. If you continue to have trouble, it might be helpful to provide more information about the specific steps you have taken and any error messages you have encountered.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search