SIP packets mysteriously disappearing when iptables-nat activated
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SIP packets mysteriously disappearing when iptables-nat activated
Hi fellows,
I have a very weird case in my firewall.
I have an asterisk server and some phones and between them there is a linux firewall based on iptables.
With basic rules on iptables everything works ok, but when I put a single nat rule (no matter what rule I use) some packets from some phones misteriously disappear from interfase to interfase.
Clearer:
The firewall has two interfases: eth0 (pointing to phones) and eth2 (pointing to asterisk).
One problematic phone is 192.168.3.242, so I use tcpdump this way.
Code:
[prompt@server] tcpdump -i eth0 src 192.168.3.242
15:30:42.882384 IP 192.168.3.242.sip > 192.168.60.101.sip: SIP, length: 626
15:30:43.881547 IP 192.168.3.242.sip > 192.168.60.101.sip: SIP, length: 626
15:30:45.881193 IP 192.168.3.242.sip > 192.168.60.101.sip: SIP, length: 626
Using -vvv I can see it is a SIP udp REGISTER request to the asterisk server (192.168.60.101).
With no nat in the firewall I use "-i eth2" and I can see the packet, so the packet reach the server and works ok. But when there is nat present in the firewall I can not see the packet on eth2.
The packet is always present in eth0.
The nat I use has nothing to do with the ips or ports involved, even only empty nat accept rules like the following is enough to make the packets disappear:
I log everything denied and nothing appears.
I've trying logging state INVALID and there was not there either.
I have no clue where to find the packet or why is gone.
Could it be a netfilter conntrack issue?
Could it be a hardware issue?
I'm not expert in SIP protocol but packet looks ok... and travels fine when nat is gone so I suppose the phone is ok.
Please help me with this, or advise me please where to post this.
Thanks in advance!
Juan M.
PD: I think is the same issue from a previous thread posted by me: http://www.linuxquestions.org/questi...terisk-812339/
This problem was gone when asterisk staff changed replace sip protocol with iax between servers.
From web manual of iptables:
...All connection tracking is handled in the PREROUTING chain, except locally generated packets which are handled in the OUTPUT chain. What this means is that iptables will do all recalculation of states and so on within the PREROUTING chain. If we send the initial packet in a stream, the state gets set to NEW within the OUTPUT chain, and when we receive a return packet, the state gets changed in the PREROUTING chain to ESTABLISHED, and so on. If the first packet is not originated by ourself, the NEW state is set within the PREROUTING chain of course. So, all state changes and calculations are done within the PREROUTING and OUTPUT chains of the nat table...
It looks like you enabled it, and it start to do its job.
nimull22 I think the problem for him occurs even when he doesn't have any rules beyond those ACCEPT rules
juan10dan if you run tcpdump on the asterisk box what kind of packets do you see. It'd be interesting to have it running with the rules off and turn the rules on and capture the change
That's right estabroo, the problem appears even when accepting all.
The only thing the firewall has to do with the sip packet is forwarding according to the linux routing table, there is no need to nat anything related. The nat present in the firewall is needed for other purposes.
And if I run tcpdump after nat, the packet incoming is the same, but there is no packet outgoing.
For testing purposes the default is DROP but the states RELATED, ESTABLISHED and NEW are accepted in the only two rules in FORWARD chain (in filter table). The iptables-save output for filter table is:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state NEW -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW -j ACCEPT
I've logged INVALID state looking for the sip udp packets, but nothing appears.
I don't know any other way to log possible dropped packets than logging INVALID state.
Based on what you've said I just don't see why it would be dropping those packets, this is really bizarre. I run sip packets through nat here just fine. Add a log rule to then end of FORWARD and see if it gets any hits
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.