Hello, i used shorewall(backport from debian etch) on debian sarge. I now have upgraded debian sarge to debian etch. Since this upgrade, the masquerading is not working correctly. Behind 2 interfaces there are asterisk-server. The asterisk-server are now not able to connect to their provider. When i sniff(tcpdump -ni <inetif> host <internalip> or host <anotherinternalip>) on the internet-interface on the firewall i could see, that the masquerading for those connection is not working. I see the internal ips of the asterisk-server going to the provider on the external interface of the firewall. It seems that only IAX, SIP and NTP does not work. In my /etc/shorewall/shorewall.conf there is IP_FORWARDING=On my /etc/shorewall/masq: $INETIF $LANIF $MASQIP $INETIF $WLANIF $MASQIP $INETIF $TECHIF $MASQIP $INETIF $XKEYIF $XKEYIP shorewall show nat(not dnat): Shorewall-3.2.6 NAT Table at lingate.may.co.at - Mon Mar 31 11:51:15 CEST 2008 Counters reset Mon Mar 31 11:04:55 CEST 2008 Chain PREROUTING (policy ACCEPT 48754 packets, 3263K bytes) pkts bytes target prot opt in out source destination 20233 1277K inet_dnat 0 -- eth2 * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol none Chain POSTROUTING (policy ACCEPT 27799 packets, 1975K bytes) pkts bytes target prot opt in out source destination 25353 1830K eth2_masq 0 -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 4570 packets, 302K bytes) pkts bytes target prot opt in out source destination Chain eth2_masq (1 references) pkts bytes target prot opt in out source destination 7036 475K SNAT 0 -- * * 172.30.48.0/22 0.0.0.0/0 policy match dir out pol none to:212.41.224.130 223 11765 SNAT 0 -- * * 172.30.47.0/24 0.0.0.0/0 policy match dir out pol none to:212.41.224.130 0 0 SNAT 0 -- * * 192.168.4.0/24 0.0.0.0/0 policy match dir out pol none to:212.41.224.130 579 29951 SNAT 0 -- * * 192.168.5.0/24 0.0.0.0/0 policy match dir out pol none to:212.41.224.193 I hope somebody could help me. I am very happy with shorewall and before this upgrade it was working great. Greets Wolfgang ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
i have no sip-modules loaded and IAX is also not working. Simon Hobson schrieb:> Wolfgang Hotwagner wrote: > >> i used shorewall(backport from debian etch) on debian sarge. I now have >> upgraded debian sarge to debian etch. Since this upgrade, the >> masquerading is not working correctly. Behind 2 interfaces there are >> asterisk-server. The asterisk-server are now not able to connect to >> their provider. > > Not sure about the rest of the problem, but the newer kernel has SIP > NAT support which kills any SIP that is already accounting for the > NAT (eg Asterisk with NAT configured, end devices using STUN). > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Wolfgang Hotwagner wrote:>i used shorewall(backport from debian etch) on debian sarge. I now have >upgraded debian sarge to debian etch. Since this upgrade, the >masquerading is not working correctly. Behind 2 interfaces there are >asterisk-server. The asterisk-server are now not able to connect to >their provider.Not sure about the rest of the problem, but the newer kernel has SIP NAT support which kills any SIP that is already accounting for the NAT (eg Asterisk with NAT configured, end devices using STUN). ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
It is very strange, but now it works. I did no changes(only shorewall restart) Wolfgang Hotwagner schrieb:> i have no sip-modules loaded and IAX is also not working. > > Simon Hobson schrieb: >> Wolfgang Hotwagner wrote: >> >>> i used shorewall(backport from debian etch) on debian sarge. I now have >>> upgraded debian sarge to debian etch. Since this upgrade, the >>> masquerading is not working correctly. Behind 2 interfaces there are >>> asterisk-server. The asterisk-server are now not able to connect to >>> their provider. >> Not sure about the rest of the problem, but the newer kernel has SIP >> NAT support which kills any SIP that is already accounting for the >> NAT (eg Asterisk with NAT configured, end devices using STUN). >> >> ------------------------------------------------------------------------- >> Check out the new SourceForge.net Marketplace. >> It''s the best place to buy or sell services for >> just about anything Open Source. >> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services for > just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- Wolfgang Hotwagner IT-Technik/Support MAY Computer GmbH Microsoft Certified Partner Galvanigasse 2 A-1210 Vienna / Austria Tel.: +43/1/278 20 80 Fax: +43/1/278 20 80 22 Voip: sip:whotwagner@may.co.at mailto:whotwagner@may.co.at http://www.may.co.at Freier PDF Druckertreiber von MAY Computer http://www.pdfprinter.at ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace