Shorewall users - Mar 2008 - shorewall sip/iax masquerading

Hello,
i used shorewall(backport from debian etch) on debian sarge. I now have
upgraded debian sarge to debian etch. Since this upgrade, the
masquerading is not working correctly. Behind 2 interfaces there are
asterisk-server. The asterisk-server are now not able to connect to
their provider. When i sniff(tcpdump -ni <inetif> host <internalip>
or
host <anotherinternalip>)  on the internet-interface on the firewall i
could see, that the masquerading for those connection is not working. I
see the internal ips of the asterisk-server going to the provider on the
external interface of the firewall. It seems that only IAX, SIP and NTP
does not work.

In my /etc/shorewall/shorewall.conf there is IP_FORWARDING=On

my /etc/shorewall/masq:
$INETIF			$LANIF		$MASQIP
$INETIF                 $WLANIF         $MASQIP
$INETIF                 $TECHIF         $MASQIP
$INETIF                 $XKEYIF         $XKEYIP

shorewall show nat(not dnat):
Shorewall-3.2.6 NAT Table at lingate.may.co.at - Mon Mar 31 11:51:15
CEST 2008

Counters reset Mon Mar 31 11:04:55 CEST 2008

Chain PREROUTING (policy ACCEPT 48754 packets, 3263K bytes)
 pkts bytes target     prot opt in     out     source
destination
20233 1277K inet_dnat  0    --  eth2   *       0.0.0.0/0
0.0.0.0/0           policy match dir in pol none

Chain POSTROUTING (policy ACCEPT 27799 packets, 1975K bytes)
 pkts bytes target     prot opt in     out     source
destination
25353 1830K eth2_masq  0    --  *      eth2    0.0.0.0/0
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 4570 packets, 302K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain eth2_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
 7036  475K SNAT       0    --  *      *       172.30.48.0/22
0.0.0.0/0           policy match dir out pol none to:212.41.224.130
  223 11765 SNAT       0    --  *      *       172.30.47.0/24
0.0.0.0/0           policy match dir out pol none to:212.41.224.130
    0     0 SNAT       0    --  *      *       192.168.4.0/24
0.0.0.0/0           policy match dir out pol none to:212.41.224.130
  579 29951 SNAT       0    --  *      *       192.168.5.0/24
0.0.0.0/0           policy match dir out pol none to:212.41.224.193


I hope somebody could help me. I am very happy with shorewall and before
this upgrade it was working great.

Greets
Wolfgang

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

i have no sip-modules loaded and IAX is also not working.

Simon Hobson schrieb:
> Wolfgang Hotwagner wrote:
> 
>> i used shorewall(backport from debian etch) on debian sarge. I now have
>> upgraded debian sarge to debian etch. Since this upgrade, the
>> masquerading is not working correctly. Behind 2 interfaces there are
>> asterisk-server. The asterisk-server are now not able to connect to
>> their provider.
> 
> Not sure about the rest of the problem, but the newer kernel has SIP 
> NAT support which kills any SIP that is already accounting for the 
> NAT (eg Asterisk with NAT configured, end devices using STUN).
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It''s the best place to buy or sell services for
> just about anything Open Source.
>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Wolfgang Hotwagner wrote:
>i used shorewall(backport from debian etch) on debian sarge. I now have
>upgraded debian sarge to debian etch. Since this upgrade, the
>masquerading is not working correctly. Behind 2 interfaces there are
>asterisk-server. The asterisk-server are now not able to connect to
>their provider.
Not sure about the rest of the problem, but the newer kernel has SIP 
NAT support which kills any SIP that is already accounting for the 
NAT (eg Asterisk with NAT configured, end devices using STUN).

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

It is very strange, but now it works. I did no changes(only shorewall
restart)

Wolfgang Hotwagner schrieb:
> i have no sip-modules loaded and IAX is also not working.
> 
> Simon Hobson schrieb:
>> Wolfgang Hotwagner wrote:
>>
>>> i used shorewall(backport from debian etch) on debian sarge. I now
have
>>> upgraded debian sarge to debian etch. Since this upgrade, the
>>> masquerading is not working correctly. Behind 2 interfaces there
are
>>> asterisk-server. The asterisk-server are now not able to connect to
>>> their provider.
>> Not sure about the rest of the problem, but the newer kernel has SIP 
>> NAT support which kills any SIP that is already accounting for the 
>> NAT (eg Asterisk with NAT configured, end devices using STUN).
>>
>>
-------------------------------------------------------------------------
>> Check out the new SourceForge.net Marketplace.
>> It''s the best place to buy or sell services for
>> just about anything Open Source.
>>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It''s the best place to buy or sell services for
> just about anything Open Source.
>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-- 
Wolfgang Hotwagner
IT-Technik/Support

MAY Computer GmbH
Microsoft Certified Partner
Galvanigasse 2
A-1210 Vienna / Austria
Tel.: +43/1/278 20 80 Fax: +43/1/278 20 80 22
Voip: sip:whotwagner@may.co.at

mailto:whotwagner@may.co.at
http://www.may.co.at

Freier PDF Druckertreiber von MAY Computer http://www.pdfprinter.at

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace