Hi, this topic was discussed in numerous places before. But I think my problem is a bit different... I have a Asterisk box which is supposed to register a trunk with sipgate. It uses dns lookups to find out my external IP address, which is correctly placed in the sip messages (I can see it on the Asterisk CLI with some logging enabled). To sum it up, everything is set like in many other discussions related to SIP problems. The gateway (CentOS 5.6 with Shorewall 4.4.19.2) should then masq the related traffic, but it doesn''t. It uses the private IP of the Asterisk box as source address. Of course sipgate cannot ever answer the request. At the moment I have absolutely no idea what the problem is about... All other traffic is masqueraded fine. I even removed the ip_nat_sip and ip_conntrack_sip module and added it to DONT_LOAD (according to FAQ 77). Additionally I have also added the DNAT rules for incoming SIP traffic. The network configuration is more or less as usual: Asterisk Box <-LAN-1 (seth0)-> Gateway (NAT) <-(seth3) ISP-> Sipgate Virtual Boxes<-LAN-2 (seth1)-> The systems in LAN 2 are not related to any SIP traffic. I attached the output of "shorewall dump" to this email and copied the line of a SIP packet: udp 17 29 src=192.168.10.240 dst=217.10.79.9 sport=5060 dport=5060 packets=1166 bytes=554092 [UNREPLIED] src=217.10.79.9 dst=192.168.10.240 sport=5060 dport=5060 packets=0 bytes=0 mark=0 secmark=0 use=1 217.10.79.9 is sipgate.de and 192.168.10.240 the Asterisk box on my local network. Here is the mentioned Asterisk log of the sip packet: Retransmitting #3 (NAT) to 217.10.79.9:5060: OPTIONS sip:sipgate.de SIP/2.0 Via: SIP/2.0/UDP 91.64.242.13:5060;branch=z9hG4bK756bc67e;rport Max-Forwards: 70 From: "Unknown" <sip:Unknown@91.64.242.13>;tag=as62f154fd To: <sip:sipgate.de> Contact: <sip:Unknown@91.64.242.13:5060> Call-ID: 599766534b08525c6c631b3006772ffd@91.64.242.13:5060 CSeq: 102 OPTIONS User-Agent: FPBX-2.8.1(1.8.0) Date: Mon, 18 Jul 2011 23:11:02 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Length: 0 You can clearly see, that the client side detection of the external address works... (STUN is not involved) So what am I missing? Thx and best regards, Martin. __________ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version 6305 (20110718) __________ E-Mail wurde gepruft mit ESET NOD32 Antivirus. http://www.eset.com ------------------------------------------------------------------------------ Storage Efficiency Calculator This modeling tool is based on patent-pending intellectual property that has been used successfully in hundreds of IBM storage optimization engage- ments, worldwide. Store less, Store more with what you own, Move data to the right place. Try It Now! http://www.accelacomm.com/jaw/sfnl/114/51427378/
On Tue, 2011-07-19 at 01:34 +0200, Martin Krellmann wrote:> this topic was discussed in numerous places before. But I think my problem > is a bit different... > I have a Asterisk box which is supposed to register a trunk with sipgate. It > uses dns lookups to find out my external IP address, which is correctly > placed in the sip messages (I can see it on the Asterisk CLI with some > logging enabled). To sum it up, everything is set like in many other > discussions related to SIP problems. > > The gateway (CentOS 5.6 with Shorewall 4.4.19.2) should then masq the > related traffic, but it doesn''t. It uses the private IP of the Asterisk box > as source address. Of course sipgate cannot ever answer the request. > At the moment I have absolutely no idea what the problem is about... All > other traffic is masqueraded fine. I even removed the ip_nat_sip and > ip_conntrack_sip module and added it to DONT_LOAD (according to FAQ 77). > Additionally I have also added the DNAT rules for incoming SIP traffic. > > The network configuration is more or less as usual: > Asterisk Box <-LAN-1 (seth0)-> Gateway (NAT) <-(seth3) ISP-> Sipgate > Virtual Boxes<-LAN-2 (seth1)-> > The systems in LAN 2 are not related to any SIP traffic. > > I attached the output of "shorewall dump" to this email and copied the line > of a SIP packet: > > udp 17 29 src=192.168.10.240 dst=217.10.79.9 sport=5060 dport=5060 > packets=1166 bytes=554092 [UNREPLIED] src=217.10.79.9 dst=192.168.10.240 > sport=5060 dport=5060 packets=0 bytes=0 mark=0 secmark=0 use=1 > > 217.10.79.9 is sipgate.de and 192.168.10.240 the Asterisk box on my local > network.> So what am I missing?This typically happens when there is an attempt by the Asterisk box to communicate with the gateway before Shorewall is started (before the NAT rules are in place). The solution is to install the conntrack package and use ''shorewall start -p'' (or shorewall restart -p) and/or install and configure shorewall-init so that the firewall is closed prior to Shorewall being started during boot. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/
Hi. This sounds plausible and explains why it works at the moment... I just changed the IP of the asterisk box (no traffic then) and changed it back to the original one. Do you mean the ip_conntrack_sip package, which I disabled before or just the ip_conntrack module? I already have shorewall-init on my gateway system and configured it now according to the manpage. But I have difficulties starting it... Do I have to disable the normal shorewall start script or do I need both? Greets, Martin. -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:teastep@shorewall.net] Gesendet: Dienstag, 19. Juli 2011 16:56 An: Shorewall Users Betreff: Re: [Shorewall-users] Problem with NAT and SIP traffic On Tue, 2011-07-19 at 01:34 +0200, Martin Krellmann wrote:> this topic was discussed in numerous places before. But I think my > problem is a bit different... > I have a Asterisk box which is supposed to register a trunk with > sipgate. It uses dns lookups to find out my external IP address, which > is correctly placed in the sip messages (I can see it on the Asterisk > CLI with some logging enabled). To sum it up, everything is set like > in many other discussions related to SIP problems. > > The gateway (CentOS 5.6 with Shorewall 4.4.19.2) should then masq the > related traffic, but it doesn't. It uses the private IP of the > Asterisk box as source address. Of course sipgate cannot ever answer the request. > At the moment I have absolutely no idea what the problem is about... > All other traffic is masqueraded fine. I even removed the ip_nat_sip > and ip_conntrack_sip module and added it to DONT_LOAD (according to FAQ 77). > Additionally I have also added the DNAT rules for incoming SIP traffic. > > The network configuration is more or less as usual: > Asterisk Box <-LAN-1 (seth0)-> Gateway (NAT) <-(seth3) ISP-> Sipgate > Virtual Boxes<-LAN-2 (seth1)-> The systems in LAN 2 are not related to > any SIP traffic. > > I attached the output of "shorewall dump" to this email and copied the > line of a SIP packet: > > udp 17 29 src=192.168.10.240 dst=217.10.79.9 sport=5060 dport=5060 > packets=1166 bytes=554092 [UNREPLIED] src=217.10.79.9 > dst=192.168.10.240 sport=5060 dport=5060 packets=0 bytes=0 mark=0 > secmark=0 use=1 > > 217.10.79.9 is sipgate.de and 192.168.10.240 the Asterisk box on my > local network.> So what am I missing?This typically happens when there is an attempt by the Asterisk box to communicate with the gateway before Shorewall is started (before the NAT rules are in place). The solution is to install the conntrack package and use 'shorewall start -p' (or shorewall restart -p) and/or install and configure shorewall-init so that the firewall is closed prior to Shorewall being started during boot. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ __________ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version 6307 (20110719) __________ E-Mail wurde geprüft mit ESET NOD32 Antivirus. http://www.eset.com ------------------------------------------------------------------------------ Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Tue, 2011-07-19 at 19:18 +0200, Martin Krellmann wrote:> This sounds plausible and explains why it works at the moment... I just changed the IP of the asterisk box (no traffic then) and changed it back to the original one. > Do you mean the ip_conntrack_sip package, which I disabled before or just the ip_conntrack module?I mean the package called ''conntrack'' which includes /sbin/conntrack. I rather doubt that it is available for CentOS 5.6, however.> > I already have shorewall-init on my gateway system and configured it now according to the manpage. But I have difficulties starting it... Do I have to disable the normal shorewall start script or do I need both?You must disable the normal Shorewall start script and let shorewall-init start it at the proper time. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/
On Tue, 2011-07-19 at 10:31 -0700, Tom Eastep wrote:> On Tue, 2011-07-19 at 19:18 +0200, Martin Krellmann wrote: > > > This sounds plausible and explains why it works at the moment... I just changed the IP of the asterisk box (no traffic then) and changed it back to the original one. > > Do you mean the ip_conntrack_sip package, which I disabled before or just the ip_conntrack module? > > I mean the package called ''conntrack'' which includes /sbin/conntrack. I > rather doubt that it is available for CentOS 5.6, however. > > > > > I already have shorewall-init on my gateway system and configured it now according to the manpage. But I have difficulties starting it... Do I have to disable the normal shorewall start script or do I need both? > > You must disable the normal Shorewall start script and let > shorewall-init start it at the proper time.It is also very important to realize that ''/etc/init.d/shorewall-init start'' actually executes ''/sbin/shorewall stop'', if Shorewall is under control of Shorewall-init. Shorewall will remain stopped until an ''optional'' or ''required'' interface changes state. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/