Hello, I''m trying to configure Asterisk box beyond Shorewall I have done Static NAT from the External Address to the Address of the Asterisk Box I added some rules like ACCEPT net loc:192.168.1.250 tcp 5060 5060 ACCEPT net loc:192.168.1.250 udp 5060 5060 but it never works, and when I try to nmap the External Address, I find that the port 5060 is closed even (For testing purpose) , I altered the policy file as shown below loc net ACCEPT info loc $FW ACCEPT info loc all ACCEPT info $FW net ACCEPT info $FW loc ACCEPT info $FW all ACCEPT info net $FW ACCEPT info net loc ACCEPT info net all DROP info all all DROP info P.S. I''m using Centos 4.4 , and Shorewall 3.2.5, Please help Thank you for your reply in advance Kind Regards Samer ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Samer Y. Azmy wrote:>I''m trying to configure Asterisk box beyond Shorewall > >I have done Static NAT from the External Address to the Address of >the Asterisk Box > >I added some rules like >ACCEPT net loc:192.168.1.250 tcp 5060 5060 >ACCEPT net loc:192.168.1.250 udp 5060 5060OK, what is your network topology ? Where did you do the static nat ? Have you tried just turning off the Shorewall until you get the network right ?>but it never works, and when I try to nmap the External Address, I >find that the port 5060 is closedWhere are you doing your scan from ? Don''t forget that you can''t do that from the inside of the network (very few gateways support hairpinning).>P.S. I''m using Centos 4.4 , and Shorewall 3.2.5,Are you running Asterisk@Home/Trixbox or a manual install of Asterisk ? For AAH or Trixbox, you will need to populate sip_nat.conf so that Asterisk can put the right address/port in it''s outbound SIP messages. Not sure which file it belongs in for a manual Asterisk install. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hello, Thank you for your reply 1) Regarding the network tooplogy It is two networks structure, local lan interface is connected to a switch, where the rest of servers are there 2) for Asterisk , we have TrixBox 3) the strange think that I need feed back on is that i) we used to run rc.firewall and Asterisk used to work ii) now with ShoreWall Asterisk does not work iii) all what I have done is to stop rc.firewall (rc.firewall stop) iiii) I did alter rc.firewall or any other files v) I installed/Configured Shorewall Is that enough or I should something more 4) the strange thing when I nmap the server, I find closed ports although that I opened them through shorewall but nmap reports them closed 5) NMAP able to scan the server and report open ports , as well as closed/filtered (so the ISP i snot block NMAP Please note that I scan from another network (completely ISP) Your replies are highly appreciated Kind Regards Samer ----- Original Message ----- From: "Simon Hobson" <linux@thehobsons.co.uk> To: <shorewall-users@lists.sourceforge.net> Sent: Sunday, November 12, 2006 11:07 AM Subject: Re: [Shorewall-users] ShoreWall and Asterisk> Samer Y. Azmy wrote: > >>I''m trying to configure Asterisk box beyond Shorewall >> >>I have done Static NAT from the External Address to the Address of >>the Asterisk Box >> >>I added some rules like >>ACCEPT net loc:192.168.1.250 tcp 5060 5060 >>ACCEPT net loc:192.168.1.250 udp 5060 5060 > > OK, what is your network topology ? Where did you do the static nat ? > Have you tried just turning off the Shorewall until you get the > network right ? > > >>but it never works, and when I try to nmap the External Address, I >>find that the port 5060 is closed > > Where are you doing your scan from ? Don''t forget that you can''t do > that from the inside of the network (very few gateways support > hairpinning). > >>P.S. I''m using Centos 4.4 , and Shorewall 3.2.5, > > Are you running Asterisk@Home/Trixbox or a manual install of Asterisk ? > > For AAH or Trixbox, you will need to populate sip_nat.conf so that > Asterisk can put the right address/port in it''s outbound SIP > messages. Not sure which file it belongs in for a manual Asterisk > install. > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
try bottom posting, it''s easier to follow ! Samer Y. Azmy wrote:> >>I have done Static NAT from the External Address to the Address of >>>the Asterisk Box >>> >>>I added some rules like >>>ACCEPT net loc:192.168.1.250 tcp 5060 5060 > >>ACCEPT net loc:192.168.1.250 udp 5060 5060 > > > OK, what is your network topology ? Where did you do the static nat ? >> Have you tried just turning off the Shorewall until you get the >> network right ? > >1) Regarding the network tooplogy >It is two networks structure, local lan interface is connected to a switch, >where the rest of servers are thereHow are you connected to the internet, where is the NAT done, how are you sure that the NAT (or more precisely the port forwarding) is working correctly ? What I''m getting at is things like - is this system acting as the gateway (and doing NAT internally), or is it sat on a LAN with a separate router ?> > Are you running Asterisk@Home/Trixbox or a manual install of Asterisk ? >> >> For AAH or Trixbox, you will need to populate sip_nat.conf so that >> Asterisk can put the right address/port in it''s outbound SIP >> messages. Not sure which file it belongs in for a manual Asterisk >> install.>2) for Asterisk , we have TrixBoxDon''t forget to create sip_nat.conf - try google for what should be in it, I can''t remember offhand.>3) the strange think that I need feed back on is that >i) we used to run rc.firewall and Asterisk used to work >ii) now with ShoreWall Asterisk does not work >iii) all what I have done is to stop rc.firewall (rc.firewall stop) >iiii) I did alter rc.firewall or any other files >v) I installed/Configured Shorewall > >Is that enough or I should something moreI would be inclined to install tethereal so that you can sniff packets on the network - that way you can see if they are getting through your NAT gateway or not.>4) the strange thing when I nmap the server, I find closed ports although >that I opened them through shorewall but nmap reports them closed > >5) NMAP able to scan the server and report open ports , as well as >closed/filtered (so the ISP i snot block NMAP >Please note that I scan from another network (completely ISP)I''m not sure how useful nmap is for udp. udp doesn''t have a protocol level handshake like tcp does, so if Asterisk doesn''t respond then you simply don''t get a reply. nmap can only tell you that a port is closed if it gets an appropriate icmp reply back, if it gets nothing then it cannot tell between an application not responding and a firewall dropping the packet. I think Asterisk is likely to ignore anything that doesn''t look like a SIP packet. So, I would suggest installing tethereal (or any other sniffer if you prefer), then : tethereal -i ethx -f "port 5060" will show you any SIP packets in or out of interface ethx (you can leave out "-i ethx" if you only have one network interface). If you don''t see any packets (and I would do this with all firewall(s) in the system disabled) then I think you need to look further out on the network. BTW - don''t forget that you will need to open up your rtp ports as well, the range used by Asterisk is rather large by default, and is defined in rtp.conf IIRC. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi Salmer, I''m assuming that Asterisk is not running on the same box as Shorewall. If that is the case then change your ACCEPT rules to DNAT rules. Regards, - Craig. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Craig M. Nicholson wrote:> Hi Salmer, > > I''m assuming that Asterisk is not running on the same box as Shorewall. > If that is the case then change your ACCEPT rules to DNAT rules. >The OP claims to be using one-to-one NAT but hasn''t felt it was necessary let us know what his entry in /etc/shorewall/nat looks like (or any other useful information, for that matter). I''ll continue ignore this thread until I see a problem report that gives the details requested at http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hello, Asterisk is not runnin on the same box What should I do to make sure that rc.firewall is not interacting with shorewall or iptables Thank you for your reply Kind Regards Samer ----- Original Message ----- From: "Craig M. Nicholson" <craig@scopetechnology.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Monday, November 13, 2006 10:23 AM Subject: Re: [Shorewall-users] ShoreWall and Asterisk> Hi Salmer, > > I''m assuming that Asterisk is not running on the same box as Shorewall. > If that is the case then change your ACCEPT rules to DNAT rules. > > Regards, > - Craig. > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi Samer, I''m not familiar with the CentOS distribution as I use Debian. As Tom said, please send through a problem report that gives the details requested as it is described at http://www.shorewall.net/support.htm#Guidelines. Regards, - Craig. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642