Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi everybody, this is my first post so please forgive any unappropiate stuff.
I have two asterisk servers each one behind a linux firewall/gw. Linux is Centos 5.4, kernel 2.6.18-164.el5, iptables v1.3.5.
Routes on the fws are ok and when iptables is stoped the servers are see each other, all good.
But when I run iptables script in any fw, one server (not always the same) goes unreachable. I verify this with asterisk -r, then show sip trunk, and status becomes UNREACHABLE.
Iptables scripts is generated by fwbuilder. The weird part is I put only one rule to de script and it looks like Source=any, Destination=any, Service=any, Interface=any, Direction (Inbound,Outbound)=any, Time=Any, Action=ACCEPT. So as you can see I tried something like "Do not do anything at all". But anyway I run the script in any fw and one server becomes UNREACHABLE.
I think the script does something wrong after all or maybe I have some missconfiguration in my asterisk conf files. The point is I am not so expert in iptables or shell scripting so I can't see anything in the iptables script.
I have look for some issues like iptables blocking because of ip_conntrack table full, or "dont fragment" bit set in kernel problem, but nothing seems to be the right problem at all.
You guys please help me!, next post I will paste the iptables script.
[root@fwnuevos ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
If all servers work this way, asterisk servers work ok.
Changing all default rules to ACCEPT is what I supposedly tried to do with the script, and the output of iptables -L shows that for me, I think. But I think the script I'm showing you have to be doing something else in the server that is affecting communication.
If you mean changing the rules manually, well, maybe that could work, but the thing is I have to use fwbuilder because that is the software the company use. Or at least I have to know exactly why is it failing to think about another option. Besides, I configure the firewalls with all ACCEPTing for testing purposes, but these firwalls have a bunch set of rules and nat and routing, and all that works properly, so maybe changing the script generator can not be an option for me.
If your problem still exist, please, can you apply your script and then type "iptables-save". If possible, please post here output.
Second what you can do - is to add a LOG rule at the end of (it should be LAST rule): Chain INPUT, Chain FORWARD, Chain OUTPUT.
Then you can start to do some thing with asterisk. All that you will find in the log, according to firewall rules, will be dropped.
The output of iptables-save in one of the firewalls with only one rule in fwbuilder is:
Code:
# Generated by iptables-save v1.3.5 on Tue Jun 8 17:06:31 2010
*mangle
:PREROUTING ACCEPT [12133700:5890029074]
:INPUT ACCEPT [1249720:748345578]
:FORWARD ACCEPT [10883100:5141611296]
:OUTPUT ACCEPT [1086404:759715357]
:POSTROUTING ACCEPT [11895205:5896205368]
COMMIT
# Completed on Tue Jun 8 17:06:31 2010
# Generated by iptables-save v1.3.5 on Tue Jun 8 17:06:31 2010
*filter
:INPUT DROP [2:152]
:FORWARD DROP [5:5059]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW -j ACCEPT
COMMIT
# Completed on Tue Jun 8 17:06:31 2010
# Generated by iptables-save v1.3.5 on Tue Jun 8 17:06:31 2010
*nat
:PREROUTING ACCEPT [351972:20012909]
:POSTROUTING ACCEPT [271654:13563320]
:OUTPUT ACCEPT [23093:1426014]
COMMIT
# Completed on Tue Jun 8 17:06:31 2010
I just see this now and wonder, what's the meaning of those three DROP rules and why they put them???. Is that the problem?
Another thing I could find was: The udp packet is getting stuck always on the second firewall. for example look at this figure:
In these case sending the packet from Asterisk 1 to Asterisk 2, the packet get lost on outbound interface in FW B, just where the X marks.
Asteris 1 ------- FWA ---------- FWB -x--------- Asterisk 2
In these other case sending the packet from Asterisk 2 to Asterisk 1, the packet get lost on outbound interface in FWA, just where the X marks.
Asteris 1 ------x- FWA ---------- FWB ----------- Asterisk 2.
Well, thnks again guys.
Hope I'm near to get this solved! With your help of course.
First of all, check if you have "1" in /proc/sys/net/ipv4/ip_forward.
If not you can use: echo 1 > /proc/sys/net/ipv4/ip_forward. Remember that it is NOT permanent, next reboot will wipe it.
Second. Take a look and try to understand, please.
:FORWARD DROP [5:5059]
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state NEW -j ACCEPT
Those mean, that anything doesn't match ACCEPT rules will be dropped.
So you NEED to add LOG rule after those two:
iptables -I FORWARD 3 -j LOG
It will add logging everything that was not assume like ACCEPT, and you can analyze it. It easily can be SNMP.
Apply it to both firewalls.
None of as is genius, but there are alway a ways how to find a problem, logging is first of them.
iptables -I FORWARD 3 -j LOG, worked wery well. Effectively the firewall started to log some packets denied which I don't understand why if the rules say allow everything.
But saddly nothing from any of the two asterisk.
I am really stuck. I have tried to log that traffic in all possible ways (Accepting and denied using fwbuilder) but I canīt see it.
How can I configure iptables to log absolutely everything???
Please if you can continiu helping me I'll appreciate it a lot!
It seems to fail when in the two firewalls nat is activated, maybe "activated" is not the right word, but anyway I mean when these 5 rules appears in iptables-save's output:
From your first post: "I have two asterisk servers each one behind a linux firewall/gw. Linux is Centos 5.4, kernel 2.6.18-164.el5, iptables v1.3.5.".
Can you tell please - is "linux firewall/gw" a different box, connected to "asterisk server" by ethernet?
Or is it ONE linux box? = Software (hardware) asterisk and embedded linux iptables firewall?
I will give you another questions after you answer that one, because I need to understand your network topology.
In total they are 4 linux boxes, 2 asterisk and 2 fw/gw. Firewall on asterisk boxes is completely inactivated. The two linux fw/gw boxes are PCs.
And responding to kirukan, the fw/gw are supposedly configured allowing all, but not explicitly those ports.
Another info that could be of interest: the two fw/gw are connected by a wireless network based on Motorola Canopy Appliances. Before the linux boxes, there were a couple of cisco routers making the connection to the Canopys for the two subnets. Using the cisco routers everything worked fine.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.