I am trying to forward all SIP traffic on eth0 port 5060, my internet feed, to an internal server 192.168.0.2 or $PBX through eth3. eth0 is 10.10.19.3 and the source is 10.10.20.4. There is no routefilter in the interfaces config. The rules I put in are DNAT net loc:$PBX udp 5060:5061 # sip DNAT net loc:$PBX udp 10000:20000 # rtp traffic Here''s the errors in /var/log/messages: Feb 28 08:22:30 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:03:2d:05:92:db:00:c0:69:0b:39:2b:08:00 SRC=10.10.20.4 DST=10.10.19.3 LEN=581 TOS=0x10 PREC=0xA0 TTL=59 ID=21890 PROTO=UDP SPT=5060 DPT=5060 LEN=561 Any ideas what I am doing wrong? Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Mason (Lists) wrote:> I am trying to forward all SIP traffic on eth0 port 5060, my internet > feed, to an internal server 192.168.0.2 or $PBX through eth3. > > eth0 is 10.10.19.3 and the source is 10.10.20.4. > There is no routefilter in the interfaces config. > > The rules I put in are > > DNAT net loc:$PBX udp 5060:5061 > # sip DNAT net loc:$PBX udp > 10000:20000 # rtp traffic > > Here''s the errors in /var/log/messages: > > Feb 28 08:22:30 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:03:2d:05:92:db:00:c0:69:0b:39:2b:08:00 SRC=10.10.20.4 > DST=10.10.19.3 LEN=581 TOS=0x10 PREC=0xA0 TTL=59 ID=21890 PROTO=UDP > SPT=5060 DPT=5060 LEN=561 > > Any ideas what I am doing wrong?Is 10.10.19.3 the primary address on eth0? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFEBGfUO/MAbZfjDLIRAihJAJUesFtxE2BQFeJLNEM8GcJTf/NZAJ9I5E52 h8aEZ4Zwml1X/2JK+VqbDQ==aw8K -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chris Mason (Lists) wrote: > >> I am trying to forward all SIP traffic on eth0 port 5060, my internet >> feed, to an internal server 192.168.0.2 or $PBX through eth3. >> >> eth0 is 10.10.19.3 and the source is 10.10.20.4. >> There is no routefilter in the interfaces config. >> >> The rules I put in are >> >> DNAT net loc:$PBX udp 5060:5061 >> # sip DNAT net loc:$PBX udp >> 10000:20000 # rtp traffic >> >> Here''s the errors in /var/log/messages: >> >> Feb 28 08:22:30 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT>> MAC=00:03:2d:05:92:db:00:c0:69:0b:39:2b:08:00 SRC=10.10.20.4 >> DST=10.10.19.3 LEN=581 TOS=0x10 PREC=0xA0 TTL=59 ID=21890 PROTO=UDP >> SPT=5060 DPT=5060 LEN=561 >> >> Any ideas what I am doing wrong? >> > > Is 10.10.19.3 the primary address on eth0? > >Yes, it is. It is the only address on it. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Mason (Lists) wrote:> Tom Eastep wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Chris Mason (Lists) wrote: >>> >>> Feb 28 08:22:30 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT>>> MAC=00:03:2d:05:92:db:00:c0:69:0b:39:2b:08:00 SRC=10.10.20.4 >>> DST=10.10.19.3 LEN=581 TOS=0x10 PREC=0xA0 TTL=59 ID=21890 PROTO=UDP >>> SPT=5060 DPT=5060 LEN=561 >>> >>> Any ideas what I am doing wrong? >>> >> >> Is 10.10.19.3 the primary address on eth0? >> >> > Yes, it is. It is the only address on it. >Please post the output of "shorewall show nat" as an attachment. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEBGz2O/MAbZfjDLIRAlGoAJ9G1z5RiWTk+2L9ExjTBOMGppxOqACfeQ1n 3sq0BjBRNaGxpIWbxGvNGEo=nSTN -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
"shorewall show nat" attached. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Chris Mason (Lists) wrote:> "shorewall show nat" attached. >I don''t see anything wrong with the setup. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Chris Mason (Lists) wrote: >> "shorewall show nat" attached. >> > > I don''t see anything wrong with the setup. >What may have happened is that a conntrack table entry for the wrong connection (the one that is being logged) was established before you added the correct rules. Such an entry would prevent SIP traffic from traversing the DNAT rules. It appears that the SIP client uses a fixed port number (5600) which makes that scenario likely. You can peruse the output of "shorewall show connections" to see if such an entry exists. If there is, you''ll have to wait for it to expire or reboot. This is an aspect of Netfilter that receives a lot of negative comment. The Netfilter developers have implemented a solution (a utility that can delete such entries) but it''s not widely available yet (and last time I tried to build a kernel and utilities to support it, I found it tough going). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> I don''t see anything wrong with the setup. > > -Tom >I thought that since the phone was online before I put the pbx behind the firewall, it may be a state issue and once the phone rebooted, it would go away. However, this is not the case. Here''s another strange log event: Feb 28 12:49:11 firewall kernel: Shorewall:all2all:REJECT:IN=eth3 OUT= MAC=00:03:47:95:be:fc:00:0e:08:ca:b2:28:08:00 SRC=192.168.0.12 DST=192.168.0.1 LEN=529 TOS=0x08 PREC=0x60 TTL=250 ID=26200 PROTO=UDP SPT=5060 DPT=5060 LEN=509 -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> > What may have happened is that a conntrack table entry for the wrong > connection (the one that is being logged) was established before you > added the correct rules. Such an entry would prevent SIP traffic from > traversing the DNAT rules. It appears that the SIP client uses a fixed > port number (5600) which makes that scenario likely. > > You can peruse the output of "shorewall show connections" to see if such > an entry exists. If there is, you''ll have to wait for it to expire or > reboot. > > This is an aspect of Netfilter that receives a lot of negative comment. > The Netfilter developers have implemented a solution (a utility that can > delete such entries) but it''s not widely available yet (and last time I > tried to build a kernel and utilities to support it, I found it tough > going). > > -Tom >This would sound likely but I tried rebooting everything, phone, pbx, firewall. Nothing worked. I got to where the phone could ring an internal extension but there was no voice. I tried DNAT on rtp and with out it, but there was no improvement. I have gone back to using the PBX as a firewall running shorewall again, this works very well. I would implement fully with Multi-ISP but I had trouble building the T1 card driver against the new kernel. Oh well... -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> ... > Here''s another strange log event: > > Feb 28 12:49:11 firewall kernel: Shorewall:all2all:REJECT:IN=eth3 OUT> MAC=00:03:47:95:be:fc:00:0e:08:ca:b2:28:08:00 SRC=192.168.0.12 > DST=192.168.0.1 LEN=529 TOS=0x08 PREC=0x60 TTL=250 ID=26200 PROTO=UDP > SPT=5060 DPT=5060 LEN=509You''ll get a lot better diagnostics from your log messages if you implement the policies recommended in the latest samples, e.g. http://svn.sourceforge.net/viewcvs.cgi/shorewall/trunk/Samples/three-interfaces/policy?view=markup&rev=3563 More info here: http://sourceforge.net/mailarchive/message.php?msg_id=14807387 Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Paul Gear wrote:> > > You''ll get a lot better diagnostics from your log messages if you > implement the policies recommended in the latest samples, e.g. > http://svn.sourceforge.net/viewcvs.cgi/shorewall/trunk/Samples/three-interfaces/policy?view=markup&rev=3563 >That''s helpful, thanks.> More info here: > http://sourceforge.net/mailarchive/message.php?msg_id=14807387 > >So Tom''s a softie, eh? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Chris Mason (Lists) wrote:> > This would sound likely but I tried rebooting everything, phone, pbx, > firewall. Nothing worked. I got to where the phone could ring an > internal extension but there was no voice. I tried DNAT on rtp and with > out it, but there was no improvement.Note that the sip messages itselve allso carry information about to where to send the RTP stream to, so if the sip devices have rfc1918 addresses they will try to connect to those 1918 addresses.> I have gone back to using the PBX as a firewall running shorewall again, > this works very well. I would implement fully with Multi-ISP but I had > trouble building the T1 card driver against the new kernel. > Oh well... > > >Erik Versaevel ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Erik wrote:> Chris Mason (Lists) wrote: > > >> This would sound likely but I tried rebooting everything, phone, pbx, >> firewall. Nothing worked. I got to where the phone could ring an >> internal extension but there was no voice. I tried DNAT on rtp and with >> out it, but there was no improvement. >> > > Note that the sip messages itselve allso carry information about to where to send the RTP stream to, so if the sip devices have rfc1918 addresses > they will try to connect to those 1918 addresses. > > >It is all rfc1918 as the external addresses are rfc1918 also. I removed norfc1918 in the interfaces file for this reason. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Erik wrote:> Chris Mason (Lists) wrote: > >>This would sound likely but I tried rebooting everything, phone, pbx, >>firewall. Nothing worked. I got to where the phone could ring an >>internal extension but there was no voice. I tried DNAT on rtp and with >>out it, but there was no improvement. > > Note that the sip messages itselve allso carry information about to where to send the RTP stream to, so if the sip devices have rfc1918 addresses > they will try to connect to those 1918 addresses.siproxd is one way of getting around this. Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642