asterisk users - Jan 2012 - Problem connecting to 4569/UDP

Hi.

Im trying to connect 2 asterisk servers between linux firewalls (iptables).

Im using exactly the same iptables script in both firewall servers,
but i dont obtain the same answer in both.

this is the scenarie.

[ASTERISK-NetA]-----[FIREWALL-NetA]-----INTERNET---[FIREWALL-NetB]----[ASTERISK-NetB]

Now i do a test on NetA

<Test on net A>

root at FIREWAL-NetA# nmap -sU -sV -p4569  public.ip.net.B

Starting Nmap 5.00 ( http://nmap.org ) at 2012-01-03 12:17 GMT
Interesting ports on public.ip.net.B (5.6.7.8):
PORT     STATE SERVICE VERSION
4569/udp open  iax2

</Test on net A>

All fine.  Now i test the NetB

<Test in net B>

root at FIREWAL-NetB# nmap -sU -sV -p4569  public.ip.net.A

Starting Nmap 5.00 ( http://nmap.org ) at 2012-01-03 12:24 GMT
Interesting ports on public.ip.net.A (1.2.3.4):
PORT     STATE SERVICE VERSION
4569/udp open  iax2

</Test in net B>

Fine too.   But when i do a ping test to the udp port, the answer is
not the same:

<Ping From A>
root at FIREWAL-NetA# hping3 public.ip.net.B --udp -V -p 4569
using eth0, addr: 1.2.3.4, MTU: 1500
HPING public.ip.net.B (eth0 1.2.3.4): udp mode set, 28 headers + 0 data bytes
len=46 ip=5.6.7.8 ttl=57 id=60657 tos=18 iplen=40 seq=0 rtt=0.0 ms
len=46 ip=5.6.7.8 ttl=57 id=60658 tos=18 iplen=40 seq=0 rtt=0.0 ms
len=46 ip=5.6.7.8 ttl=57 id=60659 tos=18 iplen=40 seq=0 rtt=0.0 ms
^C
--- public.ip.net.B hping statistic ---
19 packets transmitted, 3 packets received, 85% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

</Ping From A>

Ping From A work Fine; but Ping from B obtain a "Port Unreachable"

<Ping From B>
root at FIREWAL-NetB# hping3 public.ip.net.A --udp -V -p 4569
using eth0, addr: 5.6.7.8, MTU: 1500
ICMP Port Unreachable from ip=1.2.3.4 name=UNKNOWN
ICMP Port Unreachable from ip=1.2.3.4 name=UNKNOWN
ICMP Port Unreachable from ip=1.2.3.4 name=UNKNOWN
ICMP Port Unreachable from ip=1.2.3.4 name=UNKNOWN
^C
--- 1.2.3.4 hping statistic ---
31 packets transmitted, 4 packets received, 88% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

</Ping From B>

So both Asterisk servers cant be connected.

What can i check?  i dont understand why if use the same rules, the
answer is different.

Thanks in advance for your help.

iptables -L -n | grep icmp gives you the same on both machines?

Is it possible that the other public IP is behind a "main" firewall,
provided by your ISP? I know our hosting provider has this. They filter all
traffic through their main router, and after that locally with iptables.

On Tue, Jan 3, 2012 at 6:53 PM, kazabe <kazabe at gmail.com> wrote:
> Hi.
>
> Im trying to connect 2 asterisk servers between linux firewalls (iptables).
>
> Im using exactly the same iptables script in both firewall servers,
> but i dont obtain the same answer in both.
>
> this is the scenarie.
>
>
>
[ASTERISK-NetA]-----[FIREWALL-NetA]-----INTERNET---[FIREWALL-NetB]----[ASTERISK-NetB]
>
> Now i do a test on NetA
>
> <Test on net A>
>
> root at FIREWAL-NetA# nmap -sU -sV -p4569  public.ip.net.B
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2012-01-03 12:17 GMT
> Interesting ports on public.ip.net.B (5.6.7.8):
> PORT     STATE SERVICE VERSION
> 4569/udp open  iax2
>
> </Test on net A>
>
> All fine.  Now i test the NetB
>
> <Test in net B>
>
> root at FIREWAL-NetB# nmap -sU -sV -p4569  public.ip.net.A
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2012-01-03 12:24 GMT
> Interesting ports on public.ip.net.A (1.2.3.4):
> PORT     STATE SERVICE VERSION
> 4569/udp open  iax2
>
> </Test in net B>
>
> Fine too.   But when i do a ping test to the udp port, the answer is
> not the same:
>
> <Ping From A>
> root at FIREWAL-NetA# hping3 public.ip.net.B --udp -V -p 4569
> using eth0, addr: 1.2.3.4, MTU: 1500
> HPING public.ip.net.B (eth0 1.2.3.4): udp mode set, 28 headers + 0 data
> bytes
> len=46 ip=5.6.7.8 ttl=57 id=60657 tos=18 iplen=40 seq=0 rtt=0.0 ms
> len=46 ip=5.6.7.8 ttl=57 id=60658 tos=18 iplen=40 seq=0 rtt=0.0 ms
> len=46 ip=5.6.7.8 ttl=57 id=60659 tos=18 iplen=40 seq=0 rtt=0.0 ms
> ^C
> --- public.ip.net.B hping statistic ---
> 19 packets transmitted, 3 packets received, 85% packet loss
> round-trip min/avg/max = 0.0/0.0/0.0 ms
>
> </Ping From A>
>
> Ping From A work Fine; but Ping from B obtain a "Port
Unreachable"
>
> <Ping From B>
> root at FIREWAL-NetB# hping3 public.ip.net.A --udp -V -p 4569
> using eth0, addr: 5.6.7.8, MTU: 1500
> ICMP Port Unreachable from ip=1.2.3.4 name=UNKNOWN
> ICMP Port Unreachable from ip=1.2.3.4 name=UNKNOWN
> ICMP Port Unreachable from ip=1.2.3.4 name=UNKNOWN
> ICMP Port Unreachable from ip=1.2.3.4 name=UNKNOWN
> ^C
> --- 1.2.3.4 hping statistic ---
> 31 packets transmitted, 4 packets received, 88% packet loss
> round-trip min/avg/max = 0.0/0.0/0.0 ms
>
> </Ping From B>
>
> So both Asterisk servers cant be connected.
>
> What can i check?  i dont understand why if use the same rules, the
> answer is different.
>
> Thanks in advance for your help.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20120106/04b73f3c/attachment.htm>

El d?a 6 de enero de 2012 06:00, Roland <asterisk at rolandow.com>
escribi?:
> iptables -L -n | grep icmp gives you the same on both machines?
Yes.

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
>
> Is it possible that the other public IP is behind a "main"
firewall,
the ISP say to dont have any firewall.  And the port is displayed opened.

PORT     STATE SERVICE VERSION
4569/udp open  iax2

What another test can i do to obtain any clue about the connection problem?

thanks in advance

I "found" this on another post and "cleaned it up" - might
help
#!/usr/local/bin/perl
use strict;
use IO::Socket;

my $target = shift; #"192.168.0.255";
my $target_port = 4569;

socket(PING, PF_INET, SOCK_DGRAM, getprotobyname("udp"));

#   Build Packet ...
#   Names from ethereal filter of registration packet


my $src_call = "8000"; #8000 most siginificant bit is IAX packet type
full
... r
equired for a poke etc...
my $dst_call = "0000";
my $timestamp = "00000000";
my $outbound_seq = "00";
my $inbound_seq = "00";
my $type = "06"; #IAX_Control
my $iax_type = "1e"; #POKE
my $msg = pack "H24", $src_call . $dst_call . $timestamp .
$outbound_seq .
$inbo
und_seq . $type . $iax_type;

#   Send UDP packet


my $ipaddr = inet_aton($target);
my $sendto = sockaddr_in($target_port,$ipaddr);

send(PING, $msg, 0, $sendto) == length($msg) or die "cannot send to $target
: $t
arget_port : $!\n";

#   Listen for responses... listen for TIMEOUT seconds and report all
responders
(works for broadcast pings)


my $MAXLEN = 1024;
my $TIMEOUT = 5;

eval {
   local $SIG{ALRM} = sub { die "alarm time out"; };
   alarm $TIMEOUT;
   while (1) {
      my $recvfrom = recv(PING, $msg, $MAXLEN, 0) or die "recv: $!";
      my ($port, $ipaddr) = sockaddr_in($recvfrom);
      my $respaddr = inet_ntoa($ipaddr);
      print "Response from $respaddr : $port\n";
      exit;
      }
   };
print "timed out $target\n";

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of kazabe
Sent: Friday, January 06, 2012 10:12 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Problem connecting to 4569/UDP

El d?a 6 de enero de 2012 06:00, Roland <asterisk at rolandow.com>
escribi?:
> iptables -L -n | grep icmp gives you the same on both machines?
Yes.

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
>
> Is it possible that the other public IP is behind a "main"
firewall,
the ISP say to dont have any firewall.  And the port is displayed opened.

PORT     STATE SERVICE VERSION
4569/udp open  iax2

What another test can i do to obtain any clue about the connection problem?

thanks in advance

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to
Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users