Re: [asterisk-users] 11.4.0: iax packets lost by amazon ec2

[Sean Darcy]

On 09/07/2013 01:26 PM, Tony Mountifield wrote:
In article <l0fkfp$4ua$1...@ger.gmane.org>,
Sean Darcy <seandar...@gmail.com> wrote:
On 09/07/2013 10:33 AM, Tony Mountifield wrote:
In article <522a934d.8010...@gmail.com>,
Sean Darcy <seandar...@gmail.com> wrote:
On 09/06/2013 07:08 PM, Steve Edwards wrote:
On Fri, 6 Sep 2013, Sean Darcy wrote:
I'm not sure asterisk is even listening for the packets:

[root@asterisk ~]# netstat -apnt | grep 4569
[root@asterisk ~]#

'-t' meand TCP. IAX is UDP.


My bad:

netstat -apnu | grep 4569
udp        0      0 0.0.0.0:4569            0.0.0.0:*
           3176/asterisk

But why isn't asterisk seeing/acting upon the registration request?
Wireshark finds the packet to 4569, so it's not a firewall problem.

Are you sure about that? I have found in the past that tcpdump sees inbound
packets before they get to the iptables filter.

What happens if you do:
iptables -I INPUT 1 -p udp --dport 4569 -j ACCEPT

Cheers
Tony


Wow! Look:

   iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             ctstate
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             ctstate
NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere
reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Which means to me that the INPUT chain will ACCEPT all protocols from
anywhere to anywhere.

I suspect there's something that is not being shown there. Try:

# iptables -vnL

(and if pasting it, to post here, try to avoid line-wrapping if possible).

But no, iptables -I INPUT 1 -p udp --dport 4569 -j ACCEPT solves the
problem and asterisk now registers my device.

Now I have to find a way to make it persistent across reboots.

If your system is RH or CentOS-like, you can do:

# service iptables save

That creates the file /etc/sysconfig/iptables, which is loaded on boot.

Cheers
Tony



iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source 
destination
 125K  171M ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0      ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0 
0.0.0.0/0
   13   768 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0      ctstate NEW tcp dpt:22
    1    40 REJECT     all  --  *      *       0.0.0.0/0         0.0.0.0/0

So this means the packet is accepted only if it comes from the loopback 
interface?

I've disabled iptables altogether, now relying on the amazon security group.

Thanks for your help.

sean


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users