Script im dialplan ausführen / execute script in dialplan

can anyone pls help me with this problem
i´m trying to get a dyndns.adress entry in iptables by calling a number

hallo zusammen habe da mal ein kleines problem und zwar möchte bei anruf einer telefonnummer das ein dyndns eintrag in IPtables geschrieben wird .
hier mal meine config :

Dialplan
exten = s,1,System(/usr/bin/bash /usr/bin/ddns.sh)

/usr/bin/ddns.sh:

chown asterisk:asterisk
chmod 755

#!/bin/bash
/usr/bin/sudo iptables -F DYNAMIC
/usr/bin/sudo iptables -A DYNAMIC -p udp -m udp -s my.dyndns.adress -m multiport --dports xx,xx,xx -j ACCEPT

the script doesn´t work in dialplan allthough it´s working in terminal and in cli

das script funktioniert mit den IPtables befehlen im Dialplan leider nicht
im terminal und im cli funktioniert es!!
nehme ich statt den iptables befehl ein ganz normalen datei erstellen befehl funktioniert es auch im dailplan

also was mache ich falsch warum funtioniert es nicht im Dailplan

etc/sudoers.d/asterisk

asterisk ALL=/usr/bin/ddns.sh
chmod 440

can anybody help

irgendwer ne idee

tried iptables directly in dialplan but doesn´t work as well

habe iptables direkt im dialplan probiert

exten = s,1,System(iptables -w -A DYNAMIC -s mydyndns.adresse -j ACCEPT)

leider ohne erolg

no success

“It is exten =>, not exten=.”
Also, please replace system() with shell() just for debugging purposes, as you will get the command output with the shell() function

can anyone pls help me with this problem
i´m trying to get a dyndns.adress entry in iptables by calling a number

Komische Idee, aber okay / Strange idea, but fair enough…

Dialplan
exten = s,1,System(/usr/bin/bash /usr/bin/ddns.sh)

Ich würde stattdessen empfehlen / I would recommend instead:

exten = s,1,System(/usr/bin/ddns.sh)

Antony.

Both are acceptable. I never use ‘=>’

Maybe executing the script like:

bash -x dds.sh >/tmp/dds-log 2>&1

would yield clues.

Also, does the DYNAMIC chain already exist?

You haven’t given us any information about possible entries in the system logs.

I am using iptables in some of my boxes myself, but I’ve never had your problem. But my approach is a bit different and doesn’t rely on System. Some might consider that a not really brilliant idea.

journalctl -f ist normalerweise ziemlich gesprächig und, wenn etwas nicht funzt, dann sollte man da etwas finden. Ich vermute, dass es hier um Ausführungsrechte geht, wobei ich aber ersteinmal nicht darlegen möchte, wie ich mich schon selbst ins Knie geschossen habe. Auf Systemen mit dem roten Hut kann man auch ganz leicht den Kobold SELinux übersehen. Das kann man aber auch leicht in den Logs verifizieren. Ohne weitere Info ist das aber alles nur Raterei.

You could describe your setup. I’d hate to learn that in the end that everything worked fine and the real problem was not related to Asterisk, but the usual German FritzCasket.

THX for all your answers but it still doesn´t work
Danke für all eure Vorschläge ,klappt leider immernoch nicht

• no matter if i use exten = or exten =>

• the shell function doesn´t work
  error :WARNING[3142][C-0000000b]: pbx.c:2928 pbx_extension_helper: No application ‘SHELL’ for extension (script, s, 1)

• exten = s,1,System(/usr/bin/ddns.sh) doesn´t work ether

• DYNAMIC chain exist

• System

Asterisk 16.28.0~dfsg-0+deb11u3
Rasberry pi

• System: 64-bit
• Debian version: 11 (bullseye)

journalctl -f

Jan 02 19:48:22 raspberrypi sudo[2873]: pam_unix(sudo:auth): conversation failed
Jan 02 19:48:22 raspberrypi sudo[2873]: pam_unix(sudo:auth): auth could not identify password for [asterisk]
Jan 02 19:48:22 raspberrypi asterisk[2873]: sudo: a password is required
Jan 02 19:48:22 raspberrypi sudo[2873]: asterisk : command not allowed ; PWD=/var/lib/asterisk ; USER=root ; COMMAND=/usr/sbin/iptables -F DYNAMIC
Jan 02 19:48:22 raspberrypi asterisk[2877]: We trust you have received the usual lecture from the local System
Jan 02 19:48:22 raspberrypi asterisk[2877]: Administrator. It usually boils down to these three things:
Jan 02 19:48:22 raspberrypi asterisk[2877]: #1) Respect the privacy of others.
Jan 02 19:48:22 raspberrypi asterisk[2877]: #2) Think before you type.
Jan 02 19:48:22 raspberrypi asterisk[2877]: #3) With great power comes great responsibility.
Jan 02 19:48:22 raspberrypi asterisk[2877]: sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
Jan 02 19:48:22 raspberrypi sudo[2877]: pam_unix(sudo:auth): conversation failed
Jan 02 19:48:22 raspberrypi sudo[2877]: pam_unix(sudo:auth): auth could not identify password for [asterisk]
Jan 02 19:48:22 raspberrypi asterisk[2877]: sudo: a password is required
Jan 02 19:48:22 raspberrypi sudo[2877]: asterisk : command not allowed ; PWD=/var/lib/asterisk ; USER=root ; COMMAND=/usr/sbin/iptables -A DYNAMIC -p udp -m udp -s my.dyndns.adress -m multiport --dports xx,xx,xx -j ACCEPT

sollteN die Ausführungsrechte mit der
etc/sudoers.d/asterisk

asterisk ALL=/usr/bin/ddns.sh

nicht erlaubt werden ?

If your setup depends on sudo, you need to allow the asterisk user the execution of command without password (NOPASSWD).

You try to circumvent existing security measures by any means possible. Your problem has nothing to do with Asterisk and everything to do with your understanding of Linux.

Apart from that, shell scripts from Asterisk are not only a security problem, but you also run the risk of blocking the entire telephone system if the script gets stuck. System is not running in the background.

You don’t need the scripts to feed iptables either.

I would recommend not trying to perform a privileged function directly from a shell command in the Asterisk config. A safer idea would be to send a request via some suitable IPC channel (e.g. D-Bus, Varlink) to a privileged daemon that will maintain the appropriate packet-filter tables for you.

thx got it
danke an alle hab ne lösung gefunden

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.