John A. Sullivan III
2009-Aug-26 01:07 UTC
[asterisk-users] netfilter conntrack mangling canreinvite?
Hello, all. Since implementing an iptables firewall between the Asterisk PBX and several SIP phones, the Asterisk PBX ability to "reinvite" has been broken even when the phones are on the same network (i.e., no firewall between the phones). We've been beating our heads against the wall thinking it was the complex rule set but it appears the issue is ip_conntrack_sip. Before I drop another day into verifying this, may I ask if anyone else has had a similar problem and found a solution? It appears conntrack is rewriting the SDP so that the address is reverted to the PBX address. Here are the relevant SDP portion of a reinvite captured on the PBX using tcpdump and displayed in Wireshark. The PBX is at 172.x.x.8 and the phone is at 10.x.x.193: Owner/Creator, Session Id (o): root 1417450700 1417450701 IN IP4 10.x.x.183 Owner Address: 10.x.x.183 Connection Information (c): IN IP4 10.x.x.183 Connection Address: 10.x.x.183 Here is a similar sequence but captured from the phone itself: Owner/Creator, Session Id (o): root 595629021 595629022 IN IP4 172.x.x.8 Owner Address: 172.x.x.8 Connection Information (c): IN IP4 172.x.x.8 Connection Address: 172.x.x.8 It would appear conntrack is incorrectly "fixed" the packet. I noticed newer kernels have sip_direct_media and sip_direct_signalling options. I don't know if those apply but they do not seem to be present in our CentOS 5.3 kernel. I'll probably spend most of tomorrow confirming this hypothesis and investigating solutions so I'd be deeply appreciative for any time-saving advice. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
John A. Sullivan III
2009-Aug-27 02:12 UTC
[asterisk-users] netfilter conntrack mangling canreinvite?
On Tue, 2009-08-25 at 21:07 -0400, John A. Sullivan III wrote:> Hello, all. Since implementing an iptables firewall between the > Asterisk PBX and several SIP phones, the Asterisk PBX ability to > "reinvite" has been broken even when the phones are on the same network > (i.e., no firewall between the phones). We've been beating our heads > against the wall thinking it was the complex rule set but it appears the > issue is ip_conntrack_sip. > > Before I drop another day into verifying this, may I ask if anyone else > has had a similar problem and found a solution? It appears conntrack is > rewriting the SDP so that the address is reverted to the PBX address. > > Here are the relevant SDP portion of a reinvite captured on the PBX > using tcpdump and displayed in Wireshark. The PBX is at 172.x.x.8 and > the phone is at 10.x.x.193: > > Owner/Creator, Session Id (o): root 1417450700 1417450701 IN IP4 > 10.x.x.183 > Owner Address: 10.x.x.183 > Connection Information (c): IN IP4 10.x.x.183 > Connection Address: 10.x.x.183 > > Here is a similar sequence but captured from the phone itself: > Owner/Creator, Session Id (o): root 595629021 595629022 IN IP4 172.x.x.8 > Owner Address: 172.x.x.8 > Connection Information (c): IN IP4 172.x.x.8 > Connection Address: 172.x.x.8 > > It would appear conntrack is incorrectly "fixed" the packet. > > I noticed newer kernels have sip_direct_media and sip_direct_signalling > options. I don't know if those apply but they do not seem to be present > in our CentOS 5.3 kernel. > > I'll probably spend most of tomorrow confirming this hypothesis and > investigating solutions so I'd be deeply appreciative for any > time-saving advice. Thanks - John >The ip_nat_sip conntrack module was indeed the culprit. Apparently this can be fixed in newer kernels by setting the sip_direct_media=0 option for ip_conntrack_sip in modprobe.conf. However, since our CentOS 5.3 version of the kernel does not support this, we disabled ip_nat_sip and returned responsibility for managing NAT to sip.conf. Hope this helps someone else - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society