Mark D. Montgomery II
2013-Oct-08 05:25 UTC
Shorewall dropping packets that should be forwarded
I had to restart one of my routers tonight and since then shorewall on it has been dropping SIP packets coming in from one machine instead of forwarding them to the freebpx server. Shorewall:net2all:DROP:IN=eth0 OUT= MAC=<removed> SRC=<my home network external ip> DST=<server network external ip> LEN=575 TOS=0x00 PREC=0x20 TTL=78 ID=230 PROTO=UDP SPT=5061 DPT=5060 LEN=555 Of course this is the SIP trunk between the server and my Obi110 box in the house that is dropping. The odd thing is that I also have a SIP client on my home network as well and it is connected fine. My other trunks are fine as well. My rules on the box are just straight DNAT: DNAT net loc10:10.10.42.4 tcp 5060:5069 DNAT net loc10:10.10.42.4 udp 5060:5069 Everything was working fine before I restarted the router. Shorewall 4.5.5.3 running on Debian Wheezy. Any suggestion on figuring out why it has suddenly decided to drop these instead of forwarding them like the rules actually say to? Thanks. Mark II -- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
On 10/7/2013 10:25 PM, Mark D. Montgomery II wrote:> > I had to restart one of my routers tonight and since then shorewall on > it has been dropping SIP packets coming in from one machine instead of > forwarding them to the freebpx server. > > Shorewall:net2all:DROP:IN=eth0 OUT= MAC=<removed> SRC=<my home network > external ip> DST=<server network external ip> LEN=575 TOS=0x00 PREC=0x20 > TTL=78 ID=230 PROTO=UDP SPT=5061 DPT=5060 LEN=555 > > Of course this is the SIP trunk between the server and my Obi110 box in > the house that is dropping. > The odd thing is that I also have a SIP client on my home network as > well and it is connected fine. > > My other trunks are fine as well. > > My rules on the box are just straight DNAT: > > DNAT net loc10:10.10.42.4 tcp 5060:5069 > DNAT net loc10:10.10.42.4 udp 5060:5069 > > Everything was working fine before I restarted the router. > Shorewall 4.5.5.3 running on Debian Wheezy. > > > Any suggestion on figuring out why it has suddenly decided to drop these > instead of forwarding them like the rules actually say to?This happens when the SIP client attempts to send before Shorewall is started. An erroneous non-NAT conntrack entry gets created and continues to be used after Shorewall has created the appropriate NAT rule. Install the ''conntrack'' utility, identify the erroneous conntrack entry (shorewall show conntrack) and use /sbin/conntrack to delete it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
Mark D. Montgomery II
2013-Oct-08 16:09 UTC
Re: Shorewall dropping packets that should be forwarded
Quoting Tom Eastep <teastep@shorewall.net>:> On 10/7/2013 10:25 PM, Mark D. Montgomery II wrote: >> >> I had to restart one of my routers tonight and since then shorewall on >> it has been dropping SIP packets coming in from one machine instead of >> forwarding them to the freebpx server. >> >> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=<removed> SRC=<my home network >> external ip> DST=<server network external ip> LEN=575 TOS=0x00 PREC=0x20 >> TTL=78 ID=230 PROTO=UDP SPT=5061 DPT=5060 LEN=555 >> >> Of course this is the SIP trunk between the server and my Obi110 box in >> the house that is dropping. >> The odd thing is that I also have a SIP client on my home network as >> well and it is connected fine. >> >> My other trunks are fine as well. >> >> My rules on the box are just straight DNAT: >> >> DNAT net loc10:10.10.42.4 tcp 5060:5069 >> DNAT net loc10:10.10.42.4 udp 5060:5069 >> >> Everything was working fine before I restarted the router. >> Shorewall 4.5.5.3 running on Debian Wheezy. >> >> >> Any suggestion on figuring out why it has suddenly decided to drop these >> instead of forwarding them like the rules actually say to? > > This happens when the SIP client attempts to send before Shorewall is > started. An erroneous non-NAT conntrack entry gets created and continues > to be used after Shorewall has created the appropriate NAT rule. > > Install the ''conntrack'' utility, identify the erroneous conntrack entry > (shorewall show conntrack) and use /sbin/conntrack to delete it.I isntalled conntrack. shorewall show conntrack gives me "ERROR: Chain ''conntrack'' not recognized by /sbin/iptables." shorewall show doesn''t show me any conntrack chain.> > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________-- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
Mark D. Montgomery II
2013-Oct-08 16:11 UTC
Re: Shorewall dropping packets that should be forwarded
Aha! I did conntrack -D -s <home-ip> and it removed a bunch of entries and the trunk came right back up. Thanks! Quoting Tom Eastep <teastep@shorewall.net>:> On 10/7/2013 10:25 PM, Mark D. Montgomery II wrote: >> >> I had to restart one of my routers tonight and since then shorewall on >> it has been dropping SIP packets coming in from one machine instead of >> forwarding them to the freebpx server. >> >> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=<removed> SRC=<my home network >> external ip> DST=<server network external ip> LEN=575 TOS=0x00 PREC=0x20 >> TTL=78 ID=230 PROTO=UDP SPT=5061 DPT=5060 LEN=555 >> >> Of course this is the SIP trunk between the server and my Obi110 box in >> the house that is dropping. >> The odd thing is that I also have a SIP client on my home network as >> well and it is connected fine. >> >> My other trunks are fine as well. >> >> My rules on the box are just straight DNAT: >> >> DNAT net loc10:10.10.42.4 tcp 5060:5069 >> DNAT net loc10:10.10.42.4 udp 5060:5069 >> >> Everything was working fine before I restarted the router. >> Shorewall 4.5.5.3 running on Debian Wheezy. >> >> >> Any suggestion on figuring out why it has suddenly decided to drop these >> instead of forwarding them like the rules actually say to? > > This happens when the SIP client attempts to send before Shorewall is > started. An erroneous non-NAT conntrack entry gets created and continues > to be used after Shorewall has created the appropriate NAT rule. > > Install the ''conntrack'' utility, identify the erroneous conntrack entry > (shorewall show conntrack) and use /sbin/conntrack to delete it. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________-- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
On 10/08/2013 09:09 AM, Mark D. Montgomery II wrote:> > Quoting Tom Eastep <teastep@shorewall.net>: > >> On 10/7/2013 10:25 PM, Mark D. Montgomery II wrote: >>> >>> I had to restart one of my routers tonight and since then shorewall on >>> it has been dropping SIP packets coming in from one machine instead of >>> forwarding them to the freebpx server. >>> >>> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=<removed> SRC=<my home network >>> external ip> DST=<server network external ip> LEN=575 TOS=0x00 PREC=0x20 >>> TTL=78 ID=230 PROTO=UDP SPT=5061 DPT=5060 LEN=555 >>> >>> Of course this is the SIP trunk between the server and my Obi110 box in >>> the house that is dropping. >>> The odd thing is that I also have a SIP client on my home network as >>> well and it is connected fine. >>> >>> My other trunks are fine as well. >>> >>> My rules on the box are just straight DNAT: >>> >>> DNAT net loc10:10.10.42.4 tcp 5060:5069 >>> DNAT net loc10:10.10.42.4 udp 5060:5069 >>> >>> Everything was working fine before I restarted the router. >>> Shorewall 4.5.5.3 running on Debian Wheezy. >>> >>> >>> Any suggestion on figuring out why it has suddenly decided to drop these >>> instead of forwarding them like the rules actually say to? >> >> This happens when the SIP client attempts to send before Shorewall is >> started. An erroneous non-NAT conntrack entry gets created and continues >> to be used after Shorewall has created the appropriate NAT rule. >> >> Install the ''conntrack'' utility, identify the erroneous conntrack entry >> (shorewall show conntrack) and use /sbin/conntrack to delete it. > > > > > > I isntalled conntrack. > > shorewall show conntrack gives me "ERROR: Chain ''conntrack'' not > recognized by /sbin/iptables." > shorewall show doesn''t show me any conntrack chain.Sorry -- command is ''shorewall show connections'' -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
Mark D. Montgomery II
2013-Oct-08 20:54 UTC
Re: Shorewall dropping packets that should be forwarded
Quoting Tom Eastep <teastep@shorewall.net>:> On 10/08/2013 09:09 AM, Mark D. Montgomery II wrote: >> >> Quoting Tom Eastep <teastep@shorewall.net>: >> >>> On 10/7/2013 10:25 PM, Mark D. Montgomery II wrote: >>>> >>>> I had to restart one of my routers tonight and since then shorewall on >>>> it has been dropping SIP packets coming in from one machine instead of >>>> forwarding them to the freebpx server. >>>> >>>> Shorewall:net2all:DROP:IN=eth0 OUT= MAC=<removed> SRC=<my home network >>>> external ip> DST=<server network external ip> LEN=575 TOS=0x00 PREC=0x20 >>>> TTL=78 ID=230 PROTO=UDP SPT=5061 DPT=5060 LEN=555 >>>> >>>> Of course this is the SIP trunk between the server and my Obi110 box in >>>> the house that is dropping. >>>> The odd thing is that I also have a SIP client on my home network as >>>> well and it is connected fine. >>>> >>>> My other trunks are fine as well. >>>> >>>> My rules on the box are just straight DNAT: >>>> >>>> DNAT net loc10:10.10.42.4 tcp 5060:5069 >>>> DNAT net loc10:10.10.42.4 udp 5060:5069 >>>> >>>> Everything was working fine before I restarted the router. >>>> Shorewall 4.5.5.3 running on Debian Wheezy. >>>> >>>> >>>> Any suggestion on figuring out why it has suddenly decided to drop these >>>> instead of forwarding them like the rules actually say to? >>> >>> This happens when the SIP client attempts to send before Shorewall is >>> started. An erroneous non-NAT conntrack entry gets created and continues >>> to be used after Shorewall has created the appropriate NAT rule. >>> >>> Install the ''conntrack'' utility, identify the erroneous conntrack entry >>> (shorewall show conntrack) and use /sbin/conntrack to delete it. >> >> >> >> >> >> I isntalled conntrack. >> >> shorewall show conntrack gives me "ERROR: Chain ''conntrack'' not >> recognized by /sbin/iptables." >> shorewall show doesn''t show me any conntrack chain. > > Sorry -- command is ''shorewall show connections'' >Ok Thanks.> -Tom >Mark II> > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________-- Mark D. Montgomery II http://www.techiem2.net ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk