how to tell what ports are being blocked?

metallica1973 · 12-18-2005, 09:15 AM

I am having trouble recieving phone calls comming into my firewall into a DMZ. How can I tell from looking at my logs or using a utility what ports are being blocked from incomming calls? If I reboot the VOIP modem and the firewall wall script, I can recieve only one phone call and then if some calls after the first call then it is blocked! help?

Matir · 12-18-2005, 10:18 AM

What kind of VOIP system are you using? What is your firewall script?

metallica1973 · 12-18-2005, 07:19 PM

Matir, the man, I am using lingo (voip provider) on a mediatrix 2102 VOIP modem using SIP. I have also compiled SIP support in my kernel(from netfilter.com) It works but I can t recieve incomming calls! here are my rules:

#IP's for DMZ to VOIP
DMZ_NETWORK="192.168.2.0"
DMZ_IFACE="eth1"
DMZ_IP="192.168.2.1"
DMZ_VOIP_PHONE="192.168.2.120"

##Public services running ON FIREWALL-BOX (comment out to activate):

#- From DMZ Interface to DMZ firewall IP

$IPTABLES -A INPUT -i $DMZ_IFACE -d $DMZ_IP -p ALL -j ACCEPT

#$IPTABLES -A INPUT -i $DMZ_IFACE -d $DMZ_IP -p udp --dport 13456 -j #ACCEPT

#$IPTABLES -A INPUT -i $DMZ_IFACE -d $DMZ_IP -p udp --dport #10000:20000 -j ACCEPT

### Forward Section ########

#$IPTABLES -A FORWARD -o $EXTIF -p udp --dport 1024:1030 -j ACCEPT
#$IPTABLES -A FORWARD -o $EXTIF -p udp --dport 5050:5060 -j ACCEPT
#$IPTABLES -A FORWARD -o $EXTIF -p udp --dport 10000:20000 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

#DMZ_VOIP_PHONE -Forwarding

$IPTABLES -I FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 5060 -j ACCEPT
$IPTABLES -I FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 13456 -j ACCEPT
# $IPTABLES -I FORWARD -i $EXTIF -p udp -o DMZ_IFACE -d $DMZ_VOIP_PHONE --dport 10000:20000 -j ACCEPT

## PREROUTING ## ###### Enable IP Destination NAT for DMZ zone #######

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 5060 -j DNAT --to-destination $DMZ_VOIP_PHONE

$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 13456 -j DNAT --to-destination $DMZ_VOIP_PHONE

#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_IP --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_PHONE

## POSTROUTING ####DMZ VOIP PHONE #######

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source 192.168.2.120