Shorewall users - May 2014 - Shorewall Asterisk SIP Callls Stop at 30 minutes

Hello

I Configure shorewall for a Asterisk server.

Need to add on /etc/shorewall/start 

rmmod nf_nat_sip &> /dev/null
rmmod nf_conntrack_sip &> /dev/null


And works fine.

The only problem i detect its when i have a call stablished, , on the 30 minutes
mark, the call is down, and need to do another call

Configuration its on a Centos 6.5 Final and kernel 2.6.32-431.17.1, Shorewall
4.5.4

I Send the parts of shorewall dump related to the modules and nfconntrack, i
understand its something generic with tcp connections or nf_conntraf (netfilter)

Thanks in advance
Regards
Victor



/proc

   /proc/version = Linux version 2.6.32-431.17.1.el6.x86_64
(mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat
4.4.7-4) (GCC) ) #1 SMP Wed May 7 23:32:49 UTC 2014
   /proc/sys/net/ipv4/ip_forward = 1
   /proc/sys/net/ipv4/icmp_echo_ignore_all = 0
   /proc/sys/net/ipv4/conf/all/proxy_arp = 0
   /proc/sys/net/ipv4/conf/all/arp_filter = 0
   /proc/sys/net/ipv4/conf/all/arp_ignore = 0
   /proc/sys/net/ipv4/conf/all/rp_filter = 0
   /proc/sys/net/ipv4/conf/all/log_martians = 0
   /proc/sys/net/ipv4/conf/default/proxy_arp = 0
   /proc/sys/net/ipv4/conf/default/arp_filter = 0
   /proc/sys/net/ipv4/conf/default/arp_ignore = 0
   /proc/sys/net/ipv4/conf/default/rp_filter = 0
   /proc/sys/net/ipv4/conf/default/log_martians = 1
   /proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
   /proc/sys/net/ipv4/conf/eth0/arp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
   /proc/sys/net/ipv4/conf/eth0/rp_filter = 0
   /proc/sys/net/ipv4/conf/eth0/log_martians = 1
   /proc/sys/net/ipv4/conf/lo/proxy_arp = 0
   /proc/sys/net/ipv4/conf/lo/arp_filter = 0
   /proc/sys/net/ipv4/conf/lo/arp_ignore = 0
   /proc/sys/net/ipv4/conf/lo/rp_filter = 0
   /proc/sys/net/ipv4/conf/lo/log_martians = 1
   /proc/sys/net/ipv4/conf/tun3/proxy_arp = 0
   /proc/sys/net/ipv4/conf/tun3/arp_filter = 0
   /proc/sys/net/ipv4/conf/tun3/arp_ignore = 0
   /proc/sys/net/ipv4/conf/tun3/rp_filter = 0
   /proc/sys/net/ipv4/conf/tun3/log_martians = 1



Modules

ip_set				 30977  1 xt_set
iptable_filter		  2793  1
iptable_mangle		  3349  1
iptable_nat			 6158  0
iptable_raw			 2264  0
ip_tables			  17831  4 iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype		    2153  5
ipt_ah				  1247  0
ipt_CLUSTERIP		   6796  0
ipt_ecn				 1507  0
ipt_ECN				 1955  0
ipt_LOG				 5845  9
ipt_MASQUERADE		  2466  0
ipt_NETMAP			  1832  0
ipt_REDIRECT		    1840  0
ipt_REJECT			  2351  4
ipt_ULOG			   10765  0
nf_conntrack		   79758  32
xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_conntrack_snmp,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda	 2979  1 nf_nat_amanda
nf_conntrack_broadcast	 1471  2 nf_conntrack_snmp,nf_conntrack_netbios_ns
nf_conntrack_ftp	   12913  1 nf_nat_ftp
nf_conntrack_h323	  67696  1 nf_nat_h323
nf_conntrack_ipv4	   9506  16 iptable_nat,nf_nat
nf_conntrack_irc	    5530  1 nf_nat_irc
nf_conntrack_netbios_ns	 1323  0
nf_conntrack_netlink    17392  0
nf_conntrack_pptp	  12166  1 nf_nat_pptp
nf_conntrack_proto_gre	 7003  1 nf_conntrack_pptp
nf_conntrack_proto_sctp    12482  0
nf_conntrack_proto_udplite	 3348  0
nf_conntrack_sane	   5716  0
nf_conntrack_snmp	   1651  1 nf_nat_snmp_basic
nf_conntrack_tftp	   4878  1 nf_nat_tftp
nf_defrag_ipv4		  1483  2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6		 11156  1 xt_TPROXY
nf_nat				 22759  11
ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_nat_amanda		   1277  0
nf_nat_ftp			  3507  0
nf_nat_h323			 8830  0
nf_nat_irc			  1883  0
nf_nat_pptp			 4653  0
nf_nat_proto_gre	    3028  1 nf_nat_pptp
nf_nat_snmp_basic	   8553  0
nf_nat_tftp			  987  0
nf_tproxy_core		  1332  1 xt_TPROXY,[permanent]
xt_AUDIT			    3064  0
xt_CLASSIFY			 1069  0
xt_comment			  1034  9
xt_connlimit		    3238  0
xt_connmark			 1347  0
xt_CONNMARK			 1507  0
xt_conntrack		    2776  13
xt_dccp				 2215  0
xt_dscp				 1831  0
xt_DSCP				 2279  0
xt_hashlimit		    9685  0
xt_helper			   1497  0
xt_iprange			  2312  0
xt_length			   1322  0
xt_limit			    2118  0
xt_mac				  1118  0
xt_mark				 1057  0
xt_MARK				 1057  1
xt_multiport		    2700  2
xt_NFLOG			    1195  0
xt_NFQUEUE			  2213  0
xt_owner			    1252  0
xt_physdev			  1741  0
xt_pkttype			  1194  0
xt_policy			   2616  0
xt_realm			    1060  0
xt_recent			   7932  0
xt_set				  4032  0
xt_state			    1492  0
xt_statistic		    1524  0
xt_tcpmss			   1607  0
xt_time				 2183  0
xt_TPROXY			   9249  0



Shorewall has detected the following iptables/netfilter capabilities:
   NAT (NAT_ENABLED): Available
   Packet Mangling (MANGLE_ENABLED): Available
   Multi-port Match (MULTIPORT): Available
   Extended Multi-port Match (XMULIPORT): Available
   Connection Tracking Match (CONNTRACK_MATCH): Available
   Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
   Packet Type Match (USEPKTTYPE): Available
   Policy Match (POLICY_MATCH): Available
   Physdev Match (PHYSDEV_MATCH): Available
   Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
   Packet length Match (LENGTH_MATCH): Available
   IP range Match(IPRANGE_MATCH): Available
   Recent Match (RECENT_MATCH): Available
   Owner Match (OWNER_MATCH): Available
   Owner Name Match (OWNER_NAME_MATCH): Available
   CONNMARK Target (CONNMARK): Available
   Extended CONNMARK Target (XCONNMARK): Available
   Connmark Match (CONNMARK_MATCH): Available
   Extended Connmark Match (XCONNMARK_MATCH): Available
   Raw Table (RAW_TABLE): Available
   Rawpost Table (RAWPOST_TABLE): Not available
   IPP2P Match (IPP2P_MATCH): Not available
   CLASSIFY Target (CLASSIFY_TARGET): Available
   Extended REJECT (ENHANCED_REJECT): Available
   Repeat match (KLUDGEFREE): Available
   MARK Target (MARK): Available
   Extended MARK Target (XMARK): Available
   Extended MARK Target 2 (EXMARK): Available
   Mangle FORWARD Chain (MANGLE_FORWARD): Available
   Comments (COMMENTS): Available
   Address Type Match (ADDRTYPE): Available
   TCPMSS Match (TCPMSS_MATCH): Available
   Hashlimit Match (HASHLIMIT_MATCH): Available
   NFQUEUE Target (NFQUEUE_TARGET): Available
   Realm Match (REALM_MATCH): Available
   Helper Match (HELPER_MATCH): Available
   Connlimit Match (CONNLIMIT_MATCH): Available
   Time Match (TIME_MATCH): Available
   Goto Support (GOTO_TARGET): Available
   LOGMARK Target (LOGMARK_TARGET): Not available
   IPMARK Target (IPMARK_TARGET): Not available
   LOG Target (LOG_TARGET): Available
   ULOG Target (ULOG_TARGET): Available
   NFLOG Target (NFLOG_TARGET): Available
   Persistent SNAT (PERSISTENT_SNAT): Available
   TPROXY Target (TPROXY_TARGET): Available
   FLOW Classifier (FLOW_FILTER): Available
   fwmark route mask (FWMARK_RT_MASK): Available
   Mark in any table (MARK_ANYWHERE): Available
   Header Match (HEADER_MATCH): Not available
   ACCOUNT Target (ACCOUNT_TARGET): Not available
   AUDIT Target (AUDIT_TARGET): Available
   ipset V5 (IPSET_V5): Not available
   Condition Match (CONDITION_MATCH): Not available
   Statistic Match (STATISTIC_MATCH): Available
   IMQ Target (IMQ_TARGET): Not available
   DSCP Match (DSCP_MATCH): Available
   DSCP Target (DSCP_TARGET): Available
   Geo IP match: Not available
   iptables -S (IPTABLES_S): Available
   Basic Filter (BASIC_FILTER): Available
   CT Target (CT_TARGET): Not available



Traffic Control

Device eth0:
qdisc mq 0: root
 Sent 1346296381 bytes 11623838 pkt (dropped 0, overlimits 0 requeues 7)
 rate 0bit 0pps backlog 0b 0p requeues 7

class mq :1 root
 Sent 842127610 bytes 5697988 pkt (dropped 0, overlimits 0 requeues 1)
 backlog 0b 0p requeues 1
class mq :2 root
 Sent 504168771 bytes 5925850 pkt (dropped 0, overlimits 0 requeues 6)
 backlog 0b 0p requeues 6

Device tun3:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap  1 2 2 2 1 2 0 0 1 1 1 1 1 1 1
1
 Sent 38445759 bytes 443154 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0



TC Filters

Device eth0:

Device tun3:






 


****************************************************************************
This e-mail has been scanned by comendo.com and does not contain virus.
****************************************************************************


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs