iptables script is blocking voip asterisk
Hi everybody, this is my first post so please forgive any unappropiate stuff.
I have two asterisk servers each one behind a linux firewall/gw. Linux is Centos 5.4, kernel 2.6.18-164.el5, iptables v1.3.5. Routes on the fws are ok and when iptables is stoped the servers are see each other, all good. But when I run iptables script in any fw, one server (not always the same) goes unreachable. I verify this with asterisk -r, then show sip trunk, and status becomes UNREACHABLE. Iptables scripts is generated by fwbuilder. The weird part is I put only one rule to de script and it looks like Source=any, Destination=any, Service=any, Interface=any, Direction (Inbound,Outbound)=any, Time=Any, Action=ACCEPT. So as you can see I tried something like "Do not do anything at all". But anyway I run the script in any fw and one server becomes UNREACHABLE. I think the script does something wrong after all or maybe I have some missconfiguration in my asterisk conf files. The point is I am not so expert in iptables or shell scripting so I can't see anything in the iptables script. I have look for some issues like iptables blocking because of ip_conntrack table full, or "dont fragment" bit set in kernel problem, but nothing seems to be the right problem at all. You guys please help me!, next post I will paste the iptables script. Thanks a lot in advance!! Juan M. Jaramillo |
iptables script
Script iptables:
Code:
#!/bin/sh |
Plese forgive the long post, I hadn't notice the scrpt was that big. Specially when it has not rules at all.
|
What is the output of iptables -L before and after running the script?
By the way, it makes a long chunk of code / output much easier to read if you wrap [code]...[/code] tags around it. |
iptables -L
Before script:
Code:
[root@fwnuevos ~]# iptables -L Code:
[root@fwnuevos ~]# iptables -L |
With what conditions does your Asterisk work? Iptables remove/tured off?
Have you simply tried to change all default rules to "ACCEPT", when you will do it, please check default rules states with command "iptables-save". |
Asterisk servers work with iptables stoped. So output of iptables -L is:
Code:
[root@fwnuevos ~]# iptables -L Changing all default rules to ACCEPT is what I supposedly tried to do with the script, and the output of iptables -L shows that for me, I think. But I think the script I'm showing you have to be doing something else in the server that is affecting communication. If you mean changing the rules manually, well, maybe that could work, but the thing is I have to use fwbuilder because that is the software the company use. Or at least I have to know exactly why is it failing to think about another option. Besides, I configure the firewalls with all ACCEPTing for testing purposes, but these firwalls have a bunch set of rules and nat and routing, and all that works properly, so maybe changing the script generator can not be an option for me. |
If your problem still exist, please, can you apply your script and then type "iptables-save". If possible, please post here output.
Second what you can do - is to add a LOG rule at the end of (it should be LAST rule): Chain INPUT, Chain FORWARD, Chain OUTPUT. Then you can start to do some thing with asterisk. All that you will find in the log, according to firewall rules, will be dropped. |
iptables-save
Hi, tnnks for keeping on answering.
The output of iptables-save in one of the firewalls with only one rule in fwbuilder is: Code:
# Generated by iptables-save v1.3.5 on Tue Jun 8 17:06:31 2010 Another thing I could find was: The udp packet is getting stuck always on the second firewall. for example look at this figure: In these case sending the packet from Asterisk 1 to Asterisk 2, the packet get lost on outbound interface in FW B, just where the X marks. Asteris 1 ------- FWA ---------- FWB -x--------- Asterisk 2 In these other case sending the packet from Asterisk 2 to Asterisk 1, the packet get lost on outbound interface in FWA, just where the X marks. Asteris 1 ------x- FWA ---------- FWB ----------- Asterisk 2. Well, thnks again guys. Hope I'm near to get this solved! With your help of course. |
First of all, check if you have "1" in /proc/sys/net/ipv4/ip_forward.
If not you can use: echo 1 > /proc/sys/net/ipv4/ip_forward. Remember that it is NOT permanent, next reboot will wipe it. Second. Take a look and try to understand, please. :FORWARD DROP [5:5059] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m state --state NEW -j ACCEPT Those mean, that anything doesn't match ACCEPT rules will be dropped. So you NEED to add LOG rule after those two: iptables -I FORWARD 3 -j LOG It will add logging everything that was not assume like ACCEPT, and you can analyze it. It easily can be SNMP. Apply it to both firewalls. None of as is genius, but there are alway a ways how to find a problem, logging is first of them. |
Hello,
iptables -I FORWARD 3 -j LOG, worked wery well. Effectively the firewall started to log some packets denied which I don't understand why if the rules say allow everything. But saddly nothing from any of the two asterisk. I am really stuck. I have tried to log that traffic in all possible ways (Accepting and denied using fwbuilder) but I canīt see it. How can I configure iptables to log absolutely everything??? Please if you can continiu helping me I'll appreciate it a lot! |
Ok I have now seen something really weird.
It seems to fail when in the two firewalls nat is activated, maybe "activated" is not the right word, but anyway I mean when these 5 rules appears in iptables-save's output: Code:
*nat Is it possible that the problem could be solved in asterisk configuration?? |
Let's clarify some question.
From your first post: "I have two asterisk servers each one behind a linux firewall/gw. Linux is Centos 5.4, kernel 2.6.18-164.el5, iptables v1.3.5.". Can you tell please - is "linux firewall/gw" a different box, connected to "asterisk server" by ethernet? Or is it ONE linux box? = Software (hardware) asterisk and embedded linux iptables firewall? I will give you another questions after you answer that one, because I need to understand your network topology. Thanks. |
Have you allowed udp port from 5000 to 20000 and tcp 554
|
Ok,
In total they are 4 linux boxes, 2 asterisk and 2 fw/gw. Firewall on asterisk boxes is completely inactivated. The two linux fw/gw boxes are PCs. And responding to kirukan, the fw/gw are supposedly configured allowing all, but not explicitly those ports. Another info that could be of interest: the two fw/gw are connected by a wireless network based on Motorola Canopy Appliances. Before the linux boxes, there were a couple of cisco routers making the connection to the Canopys for the two subnets. Using the cisco routers everything worked fine. |
Thanks.
As long as 4 boxes are Linux it makes life easier. I hope you know IP addresses of your asterisk. I will use your picture: Asteris 1 ------- FWA ---------- FWB -x--------- Asterisk 2 Please, on FWA execute command: tcpdump -nnt src <IP of the Asterisk 1> -i <FWA INPUT interface> You will see what asterisk #1 sends to FWA. Then you can execute it on FWB and compare those outputs. It gives you an idea of what comes to FWA (without any changes by firewall) and what FWB receives. Then execute that command on Asterisk 2 you will see what comes through FWB. Try, it may give you many interesting details. P.S. I added input interface, because FW has 2 interfaces, where tcpdump can catch source IP, so you need to specify one you need. |
Thanks nimnull22,
I did what you told me about tcpdump and the packet was disappearing on the last interfase of the last fw. No packet droped at all according to the logs. But more important is... the problem was extrangely gone now. I don't know why. I did not do anything and I tend to think people in charge of asterisk servers changed something on these boxes, although they say no. It is maybe too soon to claim victory, but thanks a lot for your help, and I will post again if the problem returns. |
All times are GMT -5. The time now is 05:08 PM. |