can anyone pls help me with this problem
i´m trying to get a dyndns.adress entry in iptables by calling a number
hallo zusammen habe da mal ein kleines problem und zwar möchte bei anruf einer telefonnummer das ein dyndns eintrag in IPtables geschrieben wird .
hier mal meine config :
the script doesn´t work in dialplan allthough it´s working in terminal and in cli
das script funktioniert mit den IPtables befehlen im Dialplan leider nicht
im terminal und im cli funktioniert es!!
nehme ich statt den iptables befehl ein ganz normalen datei erstellen befehl funktioniert es auch im dailplan
also was mache ich falsch warum funtioniert es nicht im Dailplan
etc/sudoers.d/asterisk
asterisk ALL=/usr/bin/ddns.sh
chmod 440
can anybody help
irgendwer ne idee
tried iptables directly in dialplan but doesn´t work as well
habe iptables direkt im dialplan probiert
exten = s,1,System(iptables -w -A DYNAMIC -s mydyndns.adresse -j ACCEPT)
“It is exten =>, not exten=.”
Also, please replace system() with shell() just for debugging purposes, as you will get the command output with the shell() function
You haven’t given us any information about possible entries in the system logs.
I am using iptables in some of my boxes myself, but I’ve never had your problem. But my approach is a bit different and doesn’t rely on System. Some might consider that a not really brilliant idea.
journalctl -f ist normalerweise ziemlich gesprächig und, wenn etwas nicht funzt, dann sollte man da etwas finden. Ich vermute, dass es hier um Ausführungsrechte geht, wobei ich aber ersteinmal nicht darlegen möchte, wie ich mich schon selbst ins Knie geschossen habe. Auf Systemen mit dem roten Hut kann man auch ganz leicht den Kobold SELinux übersehen. Das kann man aber auch leicht in den Logs verifizieren. Ohne weitere Info ist das aber alles nur Raterei.
You could describe your setup. I’d hate to learn that in the end that everything worked fine and the real problem was not related to Asterisk, but the usual German FritzCasket.
THX for all your answers but it still doesn´t work
Danke für all eure Vorschläge ,klappt leider immernoch nicht
no matter if i use exten = or exten =>
the shell function doesn´t work
error :WARNING[3142][C-0000000b]: pbx.c:2928 pbx_extension_helper: No application ‘SHELL’ for extension (script, s, 1)
exten = s,1,System(/usr/bin/ddns.sh) doesn´t work ether
DYNAMIC chain exist
System
Asterisk 16.28.0~dfsg-0+deb11u3
Rasberry pi
System: 64-bit
Debian version: 11 (bullseye)
journalctl -f
Jan 02 19:48:22 raspberrypi sudo[2873]: pam_unix(sudo:auth): conversation failed
Jan 02 19:48:22 raspberrypi sudo[2873]: pam_unix(sudo:auth): auth could not identify password for [asterisk]
Jan 02 19:48:22 raspberrypi asterisk[2873]: sudo: a password is required
Jan 02 19:48:22 raspberrypi sudo[2873]: asterisk : command not allowed ; PWD=/var/lib/asterisk ; USER=root ; COMMAND=/usr/sbin/iptables -F DYNAMIC
Jan 02 19:48:22 raspberrypi asterisk[2877]: We trust you have received the usual lecture from the local System
Jan 02 19:48:22 raspberrypi asterisk[2877]: Administrator. It usually boils down to these three things:
Jan 02 19:48:22 raspberrypi asterisk[2877]: #1) Respect the privacy of others.
Jan 02 19:48:22 raspberrypi asterisk[2877]: #2) Think before you type.
Jan 02 19:48:22 raspberrypi asterisk[2877]: #3) With great power comes great responsibility.
Jan 02 19:48:22 raspberrypi asterisk[2877]: sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
Jan 02 19:48:22 raspberrypi sudo[2877]: pam_unix(sudo:auth): conversation failed
Jan 02 19:48:22 raspberrypi sudo[2877]: pam_unix(sudo:auth): auth could not identify password for [asterisk]
Jan 02 19:48:22 raspberrypi asterisk[2877]: sudo: a password is required
Jan 02 19:48:22 raspberrypi sudo[2877]: asterisk : command not allowed ; PWD=/var/lib/asterisk ; USER=root ; COMMAND=/usr/sbin/iptables -A DYNAMIC -p udp -m udp -s my.dyndns.adress -m multiport --dports xx,xx,xx -j ACCEPT
sollteN die Ausführungsrechte mit der
etc/sudoers.d/asterisk
You try to circumvent existing security measures by any means possible. Your problem has nothing to do with Asterisk and everything to do with your understanding of Linux.
Apart from that, shell scripts from Asterisk are not only a security problem, but you also run the risk of blocking the entire telephone system if the script gets stuck. System is not running in the background.
You don’t need the scripts to feed iptables either.
I would recommend not trying to perform a privileged function directly from a shell command in the Asterisk config. A safer idea would be to send a request via some suitable IPC channel (e.g. D-Bus, Varlink) to a privileged daemon that will maintain the appropriate packet-filter tables for you.