Remco Barende wrote:
Basically I want SIP and IAX2 to work. IAX2 works fine, but SIP is giving me a headache. It seems that the stateless firewall is not able to handle SIP. I'm using shorewall as my firewall with these rules:
ACCEPT net fw udp 4569 ACCEPT fw net udp 4569,5060,10000:20000
IAX2 will work fine, because you have allowed it in both directions.
Whenever I make a call I get these messages:
Apr 2 09:18:25 pbx kernel: Shorewall:fw2net:REJECT:IN= OUT=eth1 SRC=myip DST=80.118.132.66 LEN=200 TOS=0x00 PREC=0x00 TTL=64 ID=116 DF PROTO=UDP SPT=17798 DPT=7356 LEN=180
Apr 2 09:18:26 raveon kernel: Shorewall:net2fw:REJECT:IN=eth1 OUT= SRC=80.118.132.66 DST=myip LEN=200 TOS=0x00 PREC=0x00 TTL=53 ID=859 PROTO=UDP SPT=7356 DPT=17798 LEN=180
So it seems that the %&*$*&$^&!!!! server is still trying to out out via a port lower than the range set in rtp.conf
Not exactly, asterisk is using port 17798. It's the other end that's using 7356, unfortunately you don't really have any control over the remote end's RTP port.
You could try specifying the source ports on the outgoing rules with something like:
ACCEPT fw net udp - 10000:20000
This would allow any packets from the firewall to the internet originating from ports 10000:20000.
You should probably also allow incoming connections to port 5060 and 10000:20000 otherwise you may find that you can't receive inbound calls.
ACCEPT net fw udp 5060,10000:20000
should cater for that.
I'm using shorewall on our asterisk box at work and it works just fine. I allow all traffic out from the firewall to the net and only allow a very limited amount of incoming ports.
What is port 7356 for and what should I open to get it to work? I looked through the wiki but the low level iptables rules posted there do not make any sense to me.
Port 7356 is the remote end's RTP port.
I hope that helps,
Paul _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
