linuxnginxdebianfreeswitchfusionpbx

Unable to access django server on debian running FusionPBX


I have a Debian server running fusionPBX, I installed it using this official script. It uses nginx to host the application, I tried adding another server (Django) in the config file of nginx to support another server that's running on the same machine. Still, I can't access the Django server.

I tried opening port 8000 using the command sudo ufw allow 8000

When I use Nmap from another machine to this FusionPBX server I do see the ports.

$ nmap ipaddrress
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-16 20:54 UTC
Nmap scan report for ipaddrress.de-fra1.upcloud.host (ipaddrress)
Host is up (0.00015s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
5060/tcp open  sip
5080/tcp open  onscreen
7443/tcp open  oracleas-https
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel

Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds

Even if I start the server using the normal command python manage.py runserver 0.0.0.0:8000 or python manage.py runserver 127.0.0.1:8000 It doesn't work.

In Ubuntu, all I have to do is sudo ufw allow 8000 and then python manage.py runserver 0.0.0.0:8000 and it works as expected.

python manage.py runserver 0.0.0.0:8000 this is how we start a django server, where 0.0.0.0 is the IP and 8000 is the port. just in case anyone is confused :)

My Nginx config

server {
    listen 127.0.0.1:80;
    server_name 127.0.0.1;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    client_max_body_size 80M;
    client_body_buffer_size 128k;

    location / {
        root /var/www/fusionpbx;
        index index.php;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Allow the upgrade routines to run longer than normal
    location = /core/upgrade/index.php {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Disable viewing .htaccess & .htpassword & .db & .git
    location ~ .htaccess {
        deny all;
    }
    location ~ .htpassword {
        deny all;
    }
    location ~^.+.(db)$ {
        deny all;
    }
    location ~ /\.git {
        deny all;
    }
    location ~ /\.lua {
        deny all;
    }
    location ~ /\. {
        deny all;
    }
}

server {
    listen 80;
    server_name fusionpbx;

    #redirect letsencrypt to dehydrated
    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        auth_basic "off";
        alias /var/www/dehydrated;
    }

    #rewrite rule - send to https with an exception for provisioning
    if ($uri !~* ^.*(provision|xml_cdr|firmware).*$) {
        rewrite ^(.*) https://$host$1 permanent;
        break;
    }

    #REST api
    if ($uri ~* ^.*/api/.*$) {
        rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
        break;
    }

    #algo
    rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

    #mitel
    rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
    rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

    #grandstream
    rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
    rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
    #grandstream-wave softphone by ext because Android doesn't pass MAC.
    rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

    #aastra
    rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
    #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;

    #yealink
    #rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
    rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

    #polycom
    rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
    #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
    rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

    #cisco
    rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
    rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml;

    #Escene
    rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
    rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

    #Vtech
    rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;

    #Digium
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

    #Snom
    rewrite "^.*/provision/-([A-Fa-f0-9]{12})?$" /app/provision/index.php?mac=$1;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    client_max_body_size 80M;
    client_body_buffer_size 128k;

    location / {
        root /var/www/fusionpbx;
        index index.php;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Allow the upgrade routines to run longer than normal
    location = /core/upgrade/index.php {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Disable viewing .htaccess & .htpassword & .db & .git
    location ~ .htaccess {
        deny all;
    }
    location ~ .htpassword {
        deny all;
    }
    location ~^.+.(db)$ {
        deny all;
    }
    location ~ /\.git {
        deny all;
    }
    location ~ /\.lua {
        deny all;
    }
    location ~ /\. {
        deny all;
    }
}

server {
    listen 443 ssl;
    #listen 443 ssl http2;
    server_name fusionpbx;

    ssl_certificate         /etc/ssl/certs/nginx.crt;
    ssl_certificate_key     /etc/ssl/private/nginx.key;
    #ssl_protocols           TLSv1.2 TLSv1.3;
    ssl_protocols           TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers             DHE-RSA-AES256-SHA:AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache       shared:SSL:40m;
    ssl_session_timeout     2h;
    ssl_session_tickets     off;

    #redirect letsencrypt to dehydrated
    location ^~ /.well-known/acme-challenge {
        default_type "text/plain";
        auth_basic "off";
        alias /var/www/dehydrated;
    }

    #REST api
    if ($uri ~* ^.*/api/.*$) {
        rewrite ^(.*)/api/(.*)$ $1/api/index.php?rewrite_uri=$2 last;
        break;
    }

    #message media
    rewrite "^/app/messages/media/(.*)/(.*)" /app/messages/message_media.php?id=$1&action=download last;

    #algo
    rewrite "^.*/provision/algom([A-Fa-f0-9]{12})\.conf" /app/provision/?mac=$1&file=algom%7b%24mac%7d.conf last;

    #mitel
    rewrite "^.*/provision/MN_([A-Fa-f0-9]{12})\.cfg" /app/provision/index.php?mac=$1&file=MN_%7b%24mac%7d.cfg last;
    rewrite "^.*/provision/MN_Generic.cfg" /app/provision/index.php?mac=08000f000000&file=MN_Generic.cfg last;

    #grandstream
    rewrite "^.*/provision/cfg([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})/phonebook\.xml$" /app/provision/?mac=$1&file=phonebook.xml;
    rewrite "^.*/provision/(phonebook\.xml)?$" /app/provision/index.php?file=$1 last;
    #grandstream-wave softphone by ext because Android doesn't pass MAC.
    rewrite "^.*/provision/([0-9]{5})/cfg([A-Fa-f0-9]{12}).xml$" /app/provision/?ext=$1;

    #aastra
    rewrite "^.*/provision/aastra.cfg$" /app/provision/?mac=$1&file=aastra.cfg;
    #rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(cfg))?$" /app/provision/?mac=$1 last;

    #yealink
    #rewrite "^.*/provision/(y[0-9]{12})(\.cfg|\.boot)?$" /app/provision/index.php?file=$1$2;
    rewrite "^.*/provision/(y[0-9]{12})(\.cfg)?$" /app/provision/index.php?file=$1.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})(\.(xml|cfg))?$" /app/provision/index.php?mac=$1 last;

    #polycom
    rewrite "^.*/provision/000000000000.cfg$" "/app/provision/?mac=$1&file={%24mac}.cfg";
    #rewrite "^.*/provision/sip_330(\.(ld))$" /includes/firmware/sip_330.$2;
    rewrite "^.*/provision/features.cfg$" /app/provision/?mac=$1&file=features.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-sip.cfg$" /app/provision/?mac=$1&file=sip.cfg;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-phone.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-registration.cfg$" "/app/provision/?mac=$1&file={%24mac}-registration.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-directory.xml$" "/app/provision/?mac=$1&file={%24mac}-directory.xml";

    #cisco
    rewrite "^.*/provision/file/(.*\.(xml|cfg))" /app/provision/?file=$1 last;
    rewrite "^.*/provision/directory\.xml$" /app/provision/?file=directory.xml;

    #Escene
    rewrite "^.*/provision/([0-9]{1,11})_Extern.xml$"       "/app/provision/?ext=$1&file={%24mac}_extern.xml" last;
    rewrite "^.*/provision/([0-9]{1,11})_Phonebook.xml$"    "/app/provision/?ext=$1&file={%24mac}_phonebook.xml" last;

    #Vtech
    rewrite "^.*/provision/VCS754_([A-Fa-f0-9]{12})\.cfg$" /app/provision/?mac=$1;
    rewrite "^.*/provision/pb([A-Fa-f0-9-]{12,17})/directory\.xml$" /app/provision/?mac=$1&file=directory.xml;

    #Digium
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-contacts\.cfg$" "/app/provision/?mac=$1&file={%24mac}-contacts.cfg";
    rewrite "^.*/provision/([A-Fa-f0-9]{12})-smartblf\.cfg$" "/app/provision/?mac=$1&file={%24mac}-smartblf.cfg";

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    client_max_body_size 80M;
    client_body_buffer_size 128k;

    location / {
        root /var/www/fusionpbx;
        index index.php;
    }

    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Allow the upgrade routines to run longer than normal
    location = /core/upgrade/index.php {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_read_timeout 15m;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param   SCRIPT_FILENAME /var/www/fusionpbx$fastcgi_script_name;
    }

    # Disable viewing .htaccess & .htpassword & .db & .git
    location ~ .htaccess {
        deny all;
    }
    location ~ .htpassword {
        deny all;
    }
    location ~^.+.(db)$ {
        deny all;
    }
    location ~ /\.git {
        deny all;
    }
    location ~ /\.lua {
        deny all;
    }
    location ~ /\. {
        deny all;
    }
}

server {
    listen 8000;
    server_name 127.0.0.1 0.0.0.0 fusionpbx 94.237.97.9;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/freeswitch/freeswitch_api/django_api;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/freeswitch/freeswitch_api/django_api/django_api.sock;
    }
}

The block that I added

server {
    listen 8000;
    server_name (IP OF MY SERVER);

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/freeswitch/freeswitch_api/django_api;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/home/freeswitch/freeswitch_api/django_api/django_api.sock;
    }
}

Is FusionPBX blocking the connection in some way?

I don't know what I'm missing, any help is appreciated.

UPDATE:

so I tried opening the port using iptables, here is what I did

sudo iptables -A INPUT -p tcp --dport 8000 -j ACCEPT

sudo iptables-save

sudo service iptables restart

The Outputs

$ sudo iptables-save
sudo: unable to resolve host debian-1cpu-1gb-de-fra1: Name or service not known
# Generated by iptables-save v1.8.7 on Fri Dec 16 22:39:51 2022
*filter
:INPUT DROP [1:44]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [350:25243]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 16384:32768 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
COMMIT
# Completed on Fri Dec 16 22:39:51 2022
# Generated by iptables-save v1.8.7 on Fri Dec 16 22:39:51 2022
*mangle
:PREROUTING ACCEPT [8231:612573]
:INPUT ACCEPT [8231:612573]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8325:642913]
:POSTROUTING ACCEPT [8325:642913]
-A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 0x1a
-A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 0x1a
COMMIT
# Completed on Fri Dec 16 22:39:51 2022

sudo iptables -L

$ sudo iptables -L
sudo: unable to resolve host debian-1cpu-1gb-de-fra1: Name or service not known
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "friendly-scanner" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "sipcli/" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "sipcli/" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "VaxSIPUserAgent/" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "pplsip" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "pplsip" ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "system " ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "system " ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "exec." ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "exec." ALGO name bm TO 65535 ICASE
DROP       udp  --  anywhere             anywhere             udp dpts:sip:5091 STRING match  "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
DROP       tcp  --  anywhere             anywhere             tcp dpts:sip:5091 STRING match  "multipart/mixed;boundary" ALGO name bm TO 65535 ICASE
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:sip:5091
ACCEPT     udp  --  anywhere             anywhere             udp dpts:sip:5091
ACCEPT     udp  --  anywhere             anywhere             udp dpts:16384:32768
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

sudo iptables -S

$sudo iptables -S
sudo: unable to resolve host debian-1cpu-1gb-de-fra1: Name or service not known
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 16384:32768 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT

netstat

$ netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:44653         0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 94.237.97.9:7443        0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8021          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 94.237.97.9:5080        0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8001            0.0.0.0:*               LISTEN      8542/python         
tcp        0      0 94.237.97.9:5060        0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:4040          0.0.0.0:*               LISTEN      7759/./ngrok        
tcp        0      0 94.237.97.9:5066        0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:45931         0.0.0.0:*               LISTEN      1346/node           
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:5432                :::*                    LISTEN      -                   
tcp6       0      0 ::1:25                  :::*                    LISTEN      -                   
tcp6       0      0 2a04:3542:1000:910:5060 :::*                    LISTEN      -                   
udp        0      0 94.237.97.9:5080        0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:161             0.0.0.0:*                           -                   
udp        0      0 94.237.97.9:5060        0.0.0.0:*                           -                   
udp6       0      0 2a04:3542:1000:910:5060 :::*                                -

Solution

  • I solved the problem. I'll leave the solution here for anyone who may come across the same. Actually, it was quite simple. I examined how FsuionPBX was installed and how they configured the iptables. Here's the script.

    #!/bin/sh
    
    #move to script directory so all relative paths work
    cd "$(dirname "$0")"
    
    
    #add the includes
    . ./config.sh
    . ./colors.sh
    . ./environment.sh
    
    #send a message
    verbose "Configuring IPTables"
    
    #defaults to nftables by default this enables iptables
    if [ ."$os_codename" = ."buster" ]; then
        update-alternatives --set iptables /usr/sbin/iptables-legacy
        update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
    fi
    if [ ."$os_codename" = ."bullseye" ]; then
        apt-get install -y iptables
        update-alternatives --set iptables /usr/sbin/iptables-legacy
        update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
    fi
    
    #remove ufw
    ufw reset
    ufw disable
    apt-get remove -y ufw
    #apt-get purge ufw
    
    #run iptables commands
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
    iptables -A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
    iptables -A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp --dport 7443 -j ACCEPT
    iptables -A INPUT -p tcp --dport 5060:5091 -j ACCEPT
    iptables -A INPUT -p udp --dport 5060:5091 -j ACCEPT
    iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A INPUT -p udp --dport 1194 -j ACCEPT
    iptables -t mangle -A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 46
    iptables -t mangle -A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 26
    iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 26
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    #answer the questions for iptables persistent
    echo iptables-persistent iptables-persistent/autosave_v4 boolean true | debconf-set-selections
    echo iptables-persistent iptables-persistent/autosave_v6 boolean true | debconf-set-selections
    apt-get install -y iptables-persistent
    

    Now to open another port all I had to do was run the iptable command

    iptables -A INPUT -p tcp --dport 8000 -j ACCEPT

    and save the rules using

    sudo /sbin/iptables-save > /etc/iptables/rules.v4

    make sure to run it as root or you'll get the permission denied error.

    In case you get the permission error you might want to run sudo su - before saving the rules.