Shorewall users - Jul 2012 - some packages are not masqueraded

Hello shorewall-users,

I am runnung shorewall 4.4.11.6 on debian squeeze. It seems that some
packages are not masqueraded and I am not sure why.

My masq file is as follows:
eth1			10.232.0.0/16
ppp0		10.232.0.0/16

Here is one except from a package trace from eth1. It shows one of the
internal boxes trying to register 2 different SIP accounts:
989.063344 189.61.199.178 -> 217.9.36.145 SIP Request: REGISTER sip:iptel.org
989.065124   10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER sip:vono.net.br
989.325070 217.9.36.145 -> 189.61.199.178 SIP Status: 401 Unauthorized
   (0 bindings)
989.523246 189.61.199.178 -> 217.9.36.145 SIP Request: REGISTER sip:iptel.org
989.779081 217.9.36.145 -> 189.61.199.178 SIP Status: 200 OK    (1 bindings)
990.060768   10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS sip:vono.net.br
990.064791   10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER sip:vono.net.br
991.061014   10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS sip:vono.net.br
991.065030   10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER sip:vono.net.br
992.061244   10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS sip:vono.net.br

Notice that the first package is masqueraded, but the second is not.

I ask for advice in understanding what is going on.

Regards,

Pedro

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 07/13/2012 09:41 AM, Pedro Bulach Gapski wrote:
> Hello shorewall-users,
>
> I am runnung shorewall 4.4.11.6 on debian squeeze. It seems that some
> packages are not masqueraded and I am not sure why.
>
> My masq file is as follows:
> eth1			10.232.0.0/16
> ppp0		10.232.0.0/16
>
> Here is one except from a package trace from eth1. It shows one of the
> internal boxes trying to register 2 different SIP accounts:
> 989.063344 189.61.199.178 -> 217.9.36.145 SIP Request: REGISTER
sip:iptel.org
> 989.065124   10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER
sip:vono.net.br
> 989.325070 217.9.36.145 -> 189.61.199.178 SIP Status: 401 Unauthorized
>     (0 bindings)
> 989.523246 189.61.199.178 -> 217.9.36.145 SIP Request: REGISTER
sip:iptel.org
> 989.779081 217.9.36.145 -> 189.61.199.178 SIP Status: 200 OK    (1
bindings)
> 990.060768   10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS
sip:vono.net.br
> 990.064791   10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER
sip:vono.net.br
> 991.061014   10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS
sip:vono.net.br
> 991.065030   10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER
sip:vono.net.br
> 992.061244   10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS
sip:vono.net.br
>
> Notice that the first package is masqueraded, but the second is not.
>
> I ask for advice in understanding what is going on.
Your VOIP devices are attempting to connect to the network before 
Shorewall is brought up. That causes conntrack entries without NAT to be 
created. The best way to avoid that is to install and configure 
Shorewall-init so that the connections are rejected until Shorewall starts.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Fri, Jul 13, 2012 at 2:53 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> On 07/13/2012 09:41 AM, Pedro Bulach Gapski wrote:
>> Hello shorewall-users,
>>
>> I am runnung shorewall 4.4.11.6 on debian squeeze. It seems that some
>> packages are not masqueraded and I am not sure why.
>>
>> My masq file is as follows:
>> eth1                  10.232.0.0/16
>> ppp0          10.232.0.0/16
>>
>> Here is one except from a package trace from eth1. It shows one of the
>> internal boxes trying to register 2 different SIP accounts:
>> 989.063344 189.61.199.178 -> 217.9.36.145 SIP Request: REGISTER
sip:iptel.org
>> 989.065124   10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER
sip:vono.net.br
>> 989.325070 217.9.36.145 -> 189.61.199.178 SIP Status: 401
Unauthorized
>>     (0 bindings)
>> 989.523246 189.61.199.178 -> 217.9.36.145 SIP Request: REGISTER
sip:iptel.org
>> 989.779081 217.9.36.145 -> 189.61.199.178 SIP Status: 200 OK    (1
bindings)
>> 990.060768   10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS
sip:vono.net.br
>> 990.064791   10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER
sip:vono.net.br
>> 991.061014   10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS
sip:vono.net.br
>> 991.065030   10.232.0.9 -> 201.86.87.36 SIP Request: REGISTER
sip:vono.net.br
>> 992.061244   10.232.0.9 -> 201.86.87.36 SIP Request: OPTIONS
sip:vono.net.br
>>
>> Notice that the first package is masqueraded, but the second is not.
>>
>> I ask for advice in understanding what is going on.
>
> Your VOIP devices are attempting to connect to the network before
> Shorewall is brought up. That causes conntrack entries without NAT to be
> created. The best way to avoid that is to install and configure
> Shorewall-init so that the connections are rejected until Shorewall starts.
Thanks, Tom, that did the trick.

For the record, I installed shorewall-init to prevent future occurrences.

In the present case, I installed conntrack and cleared the connections with
conntrack -D -s 10.232.0.9
>From this point on, everything worked as expected.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/