Hi, I just spend too much time on an *extremely* trivial issue, so I thought I''d share it for future reference with other braindead people. To get ip_conntrack_sip and ip_conntrack_h323 to work while masquerading, just copy /usr/share/shorewall/modules to /etc/shorewall/modules and add the sip and h323 modules in appropriate places: loadmodule ip_conntrack_sip loadmodule ip_conntrack_h323 ... loadmodule ip_nat_sip loadmodule ip_nat_h323 Also restart Shorewall. These modules are in stock kernels as of 2.6.18, you can check by issuing modprobe ip_conntrack_sip. If you''re like me and forget to also load the ip_nat_* modules, nothing ''just'' works. If you''re not like me, it _does_ just work very nicely... Bye, -- - Pieter ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Pieter Ennes wrote:> To get ip_conntrack_sip and ip_conntrack_h323 to work while > masquerading, just copy /usr/share/shorewall/modules to > /etc/shorewall/modules and add the sip and h323 modules in appropriate > places:I''ve updated the ''modules'' files for both the 3.2 and 3.4 releases. Thanks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> I''ve updated the ''modules'' files for both the 3.2 and 3.4 releases. Thanks.Great, that is even better of course... Thanks, -- - Pieter ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I updated my modules file to include these module loads. What happens now is that my SIP clients cannot register with the asterisk server. My asterisk server runs on the same machine as the firewall. All the sip clients sit behind the firewall on the local LAN. I''m not sure what they are needed for, however, I need to remove them as modules to get asterisk to work as it did before. Any explanation as to why this would happen? Jim Pieter Ennes wrote:> Hi, > > I just spend too much time on an *extremely* trivial issue, so I thought > I''d share it for future reference with other braindead people. > > To get ip_conntrack_sip and ip_conntrack_h323 to work while > masquerading, just copy /usr/share/shorewall/modules to > /etc/shorewall/modules and add the sip and h323 modules in appropriate > places: > > loadmodule ip_conntrack_sip > loadmodule ip_conntrack_h323 > ... > loadmodule ip_nat_sip > loadmodule ip_nat_h323 > > Also restart Shorewall. These modules are in stock kernels as of 2.6.18, > you can check by issuing modprobe ip_conntrack_sip. > > If you''re like me and forget to also load the ip_nat_* modules, nothing > ''just'' works. If you''re not like me, it _does_ just work very nicely... > > Bye,------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jim Duda wrote:> I updated my modules file to include these module loads. What happens > now is that my SIP clients cannot register with the asterisk server. My > asterisk server runs on the same machine as the firewall. All the sip > clients sit behind the firewall on the local LAN.Beware that the module loads were added to the standard modules file for 3.2.9 and 3.4.0 RC2. So if problems occur with either of those releases, you will need to: a) Copy /usr/share/shorewall/modules to /etc/shorewall/modules b) Edit the copy and remove the appropriate lines. It is a good idea to prune the list of modules anyway -- see Shorewall FAQ 59. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom, I''m currently running shorewall 3.2.8, on FC5, using yum updates. After reading this message, I did the following. Copied /usr/share/shorewall/modules to /etc/shorewall/modules. The one I have in /etc/shorewall was from an earlier 3.2.x release. I manually added the four lines suggested in this thread. I restarted shorewall, and saw that the new kernel modules for sip and h323 were now loaded. I then realized that my asterisk application wasn''t working. I removed the modules from shorewall. Asterisk still broken. I unloaded the kernel modules and restarted asterisk. Asterisk now functions again. When it was broken, the sip clients couldn''t register for some reason. My modules file now looks like below. linux# shorewall version 3.2.8 linux# pwd /etc/shorewall linux# diff modules /usr/share/shorewall/modules 55,56d54 < #loadmodule ip_conntrack_sip < #loadmodule ip_conntrack_h323 63,64d60 < #loadmodule ip_nat_sip < #loadmodule ip_nat_h323 I''m working okay now, this was more of a heads-up to the group concerning the experience I had. Jim "Tom Eastep" <teastep@shorewall.net> wrote in message news:45D090B0.1010508@shorewall.net...> ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642-------------------------------------------------------------------------------->------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jim Duda wrote:>After reading this message, I did the following. >Copied /usr/share/shorewall/modules to /etc/shorewall/modules. The >one I have in /etc/shorewall was from an earlier >3.2.x release. >I manually added the four lines suggested in this thread. >I restarted shorewall, and saw that the new kernel modules for sip >and h323 were now loaded. >I then realized that my asterisk application wasn''t working. >I removed the modules from shorewall. >Asterisk still broken. >I unloaded the kernel modules and restarted asterisk. >Asterisk now functions again. >When it was broken, the sip clients couldn''t register for some reason.Are your SIP clients configured to talk to the public or private address on the firewall ? Are they internal or external to the firewall ? I''m guessing that the SIP NAT module is looking inside the SIP messages for IP addresses, and mangling these to match the NAT that is being done - it looks like you have a situation where the result is not correct. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Simon, The SIP clients are configured to interface with the private 192.168.0.X address on the firewall. The clients are all external to the firewall on the local LAN. I would have only expected NAT to have been performed if the SIP clients where attempting to access something external in the internet. Jim "Simon Hobson" <linux@thehobsons.co.uk> wrote in message news:a06230907c1f6aa173cec@[192.168.1.35]...> Jim Duda wrote: > >>After reading this message, I did the following. >>Copied /usr/share/shorewall/modules to /etc/shorewall/modules. The >>one I have in /etc/shorewall was from an earlier >>3.2.x release. >>I manually added the four lines suggested in this thread. >>I restarted shorewall, and saw that the new kernel modules for sip >>and h323 were now loaded. >>I then realized that my asterisk application wasn''t working. >>I removed the modules from shorewall. >>Asterisk still broken. >>I unloaded the kernel modules and restarted asterisk. >>Asterisk now functions again. >>When it was broken, the sip clients couldn''t register for some reason. > > > Are your SIP clients configured to talk to the public or private > address on the firewall ? Are they internal or external to the > firewall ? > > I''m guessing that the SIP NAT module is looking inside the SIP > messages for IP addresses, and mangling these to match the NAT that > is being done - it looks like you have a situation where the result > is not correct. > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jim Duda wrote:>The SIP clients are configured to interface with the private >192.168.0.X address on the firewall. The clients are all >external to the firewall on the local LAN. I would have only >expected NAT to have been performed if the SIP clients >where attempting to access something external in the internet.I agree, so it looks like the sip nat module is getting involved when it shouldn''t. I''m not familiar enough with IPTables to suggest next steps, I''m more used to diagnosing why a remote device can''t connect through some crappy gateway coded by an imbecile (anyone from Zyxel listening ?) who thinks symmetric nat and constantly changing ports is a cute idea ! ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi, Simon Hobson wrote:> Jim Duda wrote: > >> The SIP clients are configured to interface with the private >> 192.168.0.X address on the firewall. The clients are all >> external to the firewall on the local LAN. I would have only >> expected NAT to have been performed if the SIP clients >> where attempting to access something external in the internet. > > I agree, so it looks like the sip nat module is getting involved when > it shouldn''t.I just ran into this bug, which seems at least related: https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=522 Should be fixed in 2.6.20, and it also mentions a work-around by issuing: iptables -t raw -A PREROUTING -j NOTRACK HTH, -- - Pieter ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Pieter Ennes wrote:> > Should be fixed in 2.6.20, and it also mentions a work-around by issuing: > > iptables -t raw -A PREROUTING -j NOTRACK >That is NOT a workaround. That rule will essentially disable connection tracking for all packets entering the firewall. The workaround is to not load the SIP helpers. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV