Shorewall users - Oct 2009 - sip/iax problem - udp conntrack entries not getting destroyed

Hello all,

I have an asterisk sip/iax peer behind a linux gateway doing nat. I''m
using
pppoe with a dynamic ip that changes frequently.

The problem is when the line drops the sip/iax registrations drop as well,
and they don''t register thereafter. When I check the conntrack entries,
I
noticed the entries still have the old wan ip address and because of
keepalive (i''m assuming) these are not timing out.

What I don''t understand is why the conntrack entries don''t get
destroyed
when the interface goes down. The only solution that works is to remove them
manually using conntrack-tools.
>From what I learn, the difference between MASQUERADE and SNAT is that
MASQUERADE mangles the packets going out the interface so they have a source
*address of the interface* while SNAT mangles the packets so they have the
address you specify..

I''m hoping by using masquerade only the conntrack entries will be
destroyed
when the pppoe ip changes.

Here''s part of my "shorewall show nat" output

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
 4860  467K SNAT       all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir out pol none to:67.56.105.20
    0     0 MASQUERADE  all  --  *      *       192.168.32.0/24
0.0.0.0/0           policy match dir out pol none

Chain ppp1_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
58815 4775K SNAT       all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir out pol none to:24.205.16.4
    0     0 MASQUERADE  all  --  *      *       192.168.32.0/24
0.0.0.0/0           policy match dir out pol none

Here''s my masq file :

#INTERFACE            SOURCE          ADDRESS         PROTO   PORT(S)
IPSEC   MARK
ppp0                          0.0.0.0/0              detect
ppp1                          0.0.0.0/0              detect
ppp0                          192.168.32.0/24
ppp1                          192.168.32.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

So, does the above mean I''m using both masquerading and SNAT currently?
How
can I use only masquerade ?

Thank you for your time,
--

Raghu Siddarth


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Rags wrote:
> Hello all,
> 
> I have an asterisk sip/iax peer behind a linux gateway doing nat.
I''m
> using pppoe with a dynamic ip that changes frequently.
> 
> The problem is when the line drops the sip/iax registrations drop as
> well, and they don''t register thereafter. When I check the
conntrack
> entries, I noticed the entries still have the old wan ip address and
> because of keepalive (i''m assuming) these are not timing out.
> 
> What I don''t understand is why the conntrack entries
don''t get destroyed
> when the interface goes down. The only solution that works is to remove
> them manually using conntrack-tools.
> 
> From what I learn, the difference between MASQUERADE and SNAT is that
> MASQUERADE mangles the packets going out the interface so they have a
> source /address of the interface/ while SNAT mangles the packets so they
> have the address you specify..
That''s correct.
> 
> I''m hoping by using masquerade only the conntrack entries will be
> destroyed when the pppoe ip changes.
No conntrack entries are destroyed just because the IP address changes.
If you want that to happen, you must arrange for ''shorewall restart
-p''
when the IP address changed; that will destroy ALL conntrack entries.
> 
> Here''s part of my "shorewall show nat" output
<output hopelessly mangled by gmail''s idiotic treatment of IP
addresses
deleted>
> 
> Here''s my masq file :
> 
> #INTERFACE            SOURCE          ADDRESS         PROTO   PORT(S)
> IPSEC   MARK
> ppp0                          0.0.0.0/0 <http://0.0.0.0/0>
> detect
> ppp1                          0.0.0.0/0 <http://0.0.0.0/0>
> detect
> ppp0                          192.168.32.0/24
<http://192.168.32.0/24>
> ppp1                          192.168.32.0/24
<http://192.168.32.0/24>
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> So, does the above mean I''m using both masquerading and SNAT
currently?
No -- it means that you are using SNAT and the masquerade entries are
just there to clutter things up.
> How can I use only masquerade ?
Either:

a) Delete the last two entries and remove ''detect'' from the
ADDRESS
column of the first two entries; or

b) Delete the first two entries (if you only want to masquerade
connections with source in 192.168.32.0/24).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Tom Eastep wrote:
> Rags wrote:
>>
>> What I don''t understand is why the conntrack entries
don''t get destroyed
>> when the interface goes down. The only solution that works is to remove
>> them manually using conntrack-tools.
>>
>> From what I learn, the difference between MASQUERADE and SNAT is that
>> MASQUERADE mangles the packets going out the interface so they have a
>> source /address of the interface/ while SNAT mangles the packets so
they
>> have the address you specify..
> 
> That''s correct.
> 
>> I''m hoping by using masquerade only the conntrack entries will
be
>> destroyed when the pppoe ip changes.
> 
> No conntrack entries are destroyed just because the IP address changes.
> If you want that to happen, you must arrange for ''shorewall
restart -p''
> when the IP address changed; that will destroy ALL conntrack entries.
> 
The more I think about this, the more I''m uncertain that you need to do
that. You would need to do that if you were doing SNAT but with
MASQUERADE, it may not be necessary. On my dynamic IP cable connection,
the IP address changes only every 6 months or so and I have to restart
Shorewall when it happens because I use LSM
(http://www.shorewall.net/MultiISP.html#lsm).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

On Fri, Oct 23, 2009 at 8:17 PM, Tom Eastep <teastep@shorewall.net>
wrote:
>
> >
> > Here''s part of my "shorewall show nat" output
>
> <output hopelessly mangled by gmail''s idiotic treatment of IP
addresses
> deleted>
Sorry about that. Tried various formatting but gmail still messes it
up. I''ve copied the output in the attachment.
>
> > Here''s my masq file :
> >
> > #INTERFACE            SOURCE          ADDRESS         PROTO   PORT(S)
> > IPSEC   MARK
> > ppp0                          0.0.0.0/0          detect
> > ppp1                          0.0.0.0/0          detect
> > ppp0                          192.168.32.0/24 192.168.32.0/24
> > ppp1                          192.168.32.0/24 192.168.32.0/24
> > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> > How can I use only masquerade ?
>
> Either:
>
> a) Delete the last two entries and remove ''detect'' from
the ADDRESS
> column of the first two entries; or
If I do this I do get a masquerade only entry in the nat table but
when I restart shorewall it gives me the following :

Adding Providers...
  WARNING: Gateway  is not reachable -- Provider BSNL8m (1) not Added
  WARNING: Gateway  is not reachable -- Provider BSNL256 (2) not Added
  WARNING: No Default route added (all ''balance'' providers are
down)
>
> b) Delete the first two entries (if you only want to masquerade
> connections with source in 192.168.32.0/24).
>
Same thing here, the providers don''t get detected.

I''ve copied the contents of the providers file is in the attachment.

The only thing that seems to work is to remove the last two lines in
masq, but that gives pure snat without any masquerade entries.
> The more I think about this, the more I''m uncertain that you need
to do
> that. You would need to do that if you were doing SNAT but with
> MASQUERADE, it may not be necessary. On my dynamic IP cable connection,
> the IP address changes only every 6 months or so and I have to restart
> Shorewall when it happens because I use LSM
> (http://www.shorewall.net/MultiISP.html#lsm).
I achieve fail-over by a shorewall -f restart every ip up/down. I''m
not using any link monitoring. I suppose I can use -p to flush the
conntrack table but what I don''t understand is why the providers get
affected when I make changes to the masq file.

I had the same problem earlier, and you pointed out that the logic is
independent. But I can''t seem to trace the cause. Since I
don''t use
LSM or gwping there are no isusable,lib.private or .status files in
/etc/shorewall or /var/lib/shorewall.

Thank you,

Raghu Siddarth


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Rags wrote:
> If I do this I do get a masquerade only entry in the nat table but
> when I restart shorewall it gives me the following :
> 
> Adding Providers...
>   WARNING: Gateway  is not reachable -- Provider BSNL8m (1) not Added
>   WARNING: Gateway  is not reachable -- Provider BSNL256 (2) not Added
>   WARNING: No Default route added (all ''balance''
providers are down)
> 
Please:

a) shorewall show -f capabilities /etc/shorewall/caps
b) tar -xf shorewall.tgz /etc/shorewall/
c) send shorewall.tgz as an attachment to me personally.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Tom Eastep wrote:
> Rags wrote:
> 
>> If I do this I do get a masquerade only entry in the nat table but
>> when I restart shorewall it gives me the following :
>>$
>> Adding Providers...
>>   WARNING: Gateway  is not reachable -- Provider BSNL8m (1) not Added
>>   WARNING: Gateway  is not reachable -- Provider BSNL256 (2) not Added
>>   WARNING: No Default route added (all ''balance''
providers are down)
>>
> 
> Please:
> 
> a) shorewall show -f capabilities /etc/shorewall/caps
Make that ''shorweall show -f capabilities >
/etc/shorewall/caps''
> b) tar -xf shorewall.tgz /etc/shorewall/
> c) send shorewall.tgz as an attachment to me personally.
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Tom Eastep wrote:
> Tom Eastep wrote:
>> Rags wrote:
>>
>>> If I do this I do get a masquerade only entry in the nat table but
>>> when I restart shorewall it gives me the following :
>>> $
>>> Adding Providers...
>>>   WARNING: Gateway  is not reachable -- Provider BSNL8m (1) not
Added
>>>   WARNING: Gateway  is not reachable -- Provider BSNL256 (2) not
Added
>>>   WARNING: No Default route added (all ''balance''
providers are down)
>>>
>> Please:
>>
>> a) shorewall show -f capabilities /etc/shorewall/caps
> 
> Make that ''shorweall show -f capabilities >
/etc/shorewall/caps''
> 
Actually, I think I see what is happening. Please try applying the
attached patch:

	cd /usr/share/shorewall/
	patch -p1 < path-to/optional.diff

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

On Sun, Oct 25, 2009 at 12:40 AM, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Actually, I think I see what is happening. Please try applying the
> attached patch:
>
>        cd /usr/share/shorewall/
>        patch -p1 < path-to/optional.diff
It worked! No more warnings, Thank you.
>> Here''s my masq file :
> >
> > #INTERFACE            SOURCE          ADDRESS         PROTO   PORT(S)
> > IPSEC   MARK
> > ppp0                          0.0.0.0/0          detect
> > ppp1                          0.0.0.0/0          detect
> > ppp0                          192.168.32.0/24 192.168.32.0/24
> > ppp1                          192.168.32.0/24 192.168.32.0/24
> > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> > How can I use only masquerade ?
>
> Either:
>
> a) Delete the last two entries and remove ''detect'' from
the ADDRESS
> column of the first two entries; or
Wouldn''t this affect load balancing ? I haven''t specified
"loose" though.
>
> b) Delete the first two entries (if you only want to masquerade
> connections with source in 192.168.32.0/24).
>
This is what I have done currently, It is set to masquerade. I see the
conntrack entries getting destroyed now, but a part of the problem is still
present. Let me explain :

There are two iax trunks on 4569, outbound and inbound. The outbound
registration is working without problems now after I changed to
masquerading. But the inbound trunk doesn''t get registered, on the
standard
4569 port.

The inward iax trunk gets registered on port 1025, and this number keeps on
increasing. I don''t know how or why but the conntrack entries show  :

udp      17 178 src=192.168.32.204 dst=56.24.132.16 sport=4569 dport=4569
packets=220 bytes=32935 src=56.24.132.16 dst=27.242.134.136 sport=4569
dport=*1025* packets=183 bytes=26722 [ASSURED] mark=2 use=1

If I delete this entry, a new entry pops up on port 1026 and so on. The only
way that works it to delete all entries on port 4569. This occurs only when
the pppoe drops and the ip chages.

This might not be related to the firewall at all but just wanted to know if
this behavior indicates something.

Thanks for your help,

-- Raghu Siddarth


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Rags wrote:
> On Sun, Oct 25, 2009 at 12:40 AM, Tom Eastep <teastep@shorewall.net
>> Actually, I think I see what is happening. Please try applying the
>> attached patch:
>>
>>        cd /usr/share/shorewall/
>>        patch -p1 < path-to/optional.diff
> 
> It worked! No more warnings, Thank you.
> 
Good -- your''re welcome.
>>
>> Either:
>>
>> a) Delete the last two entries and remove ''detect''
from the ADDRESS
>> column of the first two entries; or
> 
> Wouldn''t this affect load balancing ? I haven''t specified
"loose" though.
No -- this is actually the preferred way given that you have a multi-ISP
configuration.
>>
>> b) Delete the first two entries (if you only want to masquerade
>> connections with source in 192.168.32.0/24
<http://192.168.32.0/24>).
>>
> 
> This is what I have done currently, It is set to masquerade. I see the
> conntrack entries getting destroyed now, but a part of the problem is
> still present. Let me explain :
> 
> There are two iax trunks on 4569, outbound and inbound. The outbound
> registration is working without problems now after I changed to
> masquerading. But the inbound trunk doesn''t get registered, on the
> standard 4569 port.
> 
> The inward iax trunk gets registered on port 1025, and this number keeps
> on increasing. I don''t know how or why but the conntrack entries
show  :
> 
> udp      17 178 src=192.168.32.204 dst=56.24.132.16 sport=4569
> dport=4569 packets=220 bytes=32935 src=56.24.132.16 dst=27.242.134.136
> sport=4569 dport=*1025* packets=183 bytes=26722 [ASSURED] mark=2 use=1
> 
> If I delete this entry, a new entry pops up on port 1026 and so on. The
> only way that works it to delete all entries on port 4569. This occurs
> only when the pppoe drops and the ip chages.
> 
> This might not be related to the firewall at all but just wanted to know
> if this behavior indicates something.
It''s the way that Netfilter DNAT works. It remaps the source port in a
connection if there is another connection that is using that same
address/protocol/port for its source.

The bottom line here is that changing the IP address of a host while
there are active connections to/through that host is a very unfriendly
thing to do.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

On Tue, Oct 27, 2009 at 7:46 PM, Tom Eastep <teastep@shorewall.net> wrote:
> Rags wrote:
>
> > udp      17 178 src=192.168.32.204 dst=56.24.132.16 sport=4569
> > dport=4569 packets=220 bytes=32935 src=56.24.132.16 dst=27.242.134.136
> > sport=4569 dport=*1025* packets=183 bytes=26722 [ASSURED] mark=2 use=1
> >
> > If I delete this entry, a new entry pops up on port 1026 and so on.
The
> > only way that works it to delete all entries on port 4569. This occurs
> > only when the pppoe drops and the ip chages.
> >
> > This might not be related to the firewall at all but just wanted to
know
> > if this behavior indicates something.
>
> It''s the way that Netfilter DNAT works. It remaps the source port
in a
> connection if there is another connection that is using that same
> address/protocol/port for its source.
>
> The bottom line here is that changing the IP address of a host while
> there are active connections to/through that host is a very unfriendly
> thing to do.
>
>
I tried a lot to pinpoint the specific entries to delete after a ppp
up/down. But these keep on changing also conntract-tools is very unwieldy.
I''m just going to use ''shorewall restart -p'' to clear
the whole table now,
although seems harsh to clear the entire table every time, but it works.

Thank you for all the help.

-- Raghu


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference