Hi Bruce,
Your first line doesn't cause this type of problem, but it does open your
firewall too much:
> ACCEPT all -- anywhere anywhere state
> INVALID,NEW,RELATED,ESTABLISHED,UNTRACKED
This line allows INVALID, NEW and UNTRACKED packets. This means that ALL
incoming connections are partially accepted. Also invalid packets are allowed.
I'm pretty sure that means packets that are broken, or connection sequence
packets that don't follow the proper sequence. Untracked is any packet that
isn't part of an existing connection.
So in this one line you are allowing a lot of packets that a good firewall
explicitly drops. Typically this rule is specified near the end and looks like:
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Putting it first means that any packet from an established connection will
update the counters on this rule. You probably want one of the specific rules
to show a true count.
Your OUTPUT and FORWARD chains don't look good either. You don't need a FORWARD
unless you intend to forward packets out another network port. So setting "echo
0 > /proc/sys/net/ipv4/ip_forward" will totally prevent forwarding and putting
a policy of DROP with no rules on forward is typical.
Your OUTPUT chain ACCEPTS all packets anyway so putting a rule in there only
serves to count packets. If this server is not acting as a firewall for any
other systems a blank rule is lazy but usually not a problem. The paranoid will
put in rules to make sure that packets with non-routable IPs don't leave. Also
port 25 is typically blocked or restricted if the server sends email to a smart
host, or not at all.
You want to run tcpdump on your outside port to see if your firewall is even
seeing the packets:
tcpdump -i eth0 -s 1500 -X udp port 5060 and host 173.173.173.173
I have also seen (just yesterday) my home firewall not allow registration of my
Sipura with an Asterisk box. Lazily I rebooted since a power outage destroyed
my uptime recently. After the reboot it worked fine. I could have tried to stop
IPTables, remove netfilter kernel modules and restart IPtables, but like I
said, I was feeling lazy.
----- Original Message -----
> Hi Everyone,
>
> A VPS from rackspacecloud.com can establish a connection to a provider
> which uses standard port 5060 without any hassles. However, if trying
> to register to port 5090 of a different provider a request to initiate
> call is sent but there is no responce from them at SIP debug level.
> And "sip show registry" shows Request Sent. Tries go on for 6 times
> until call fails.
>
>
>
> Following is the responce that provider gets when trying to reach us:
> 15:03:03.608227 IP 82.80.252.29 > 173.173.173.173: ICMP 82.80.252.29
> udp port sip unreachable, length 431
> 15:03:07.430966 IP 173.173.173.173.sip > 82.80.252.29.sip: SIP,
> length: 395
> 15:03:07.607955 IP 82.80.252.29 > 173.173.173.173: ICMP 82.80.252.29
> udp port sip unreachable, length 431
> 15:03:11.430603 IP 173.173.173.173.sip > 82.80.252.29.sip: SIP,
> length: 395
>
>
> Following is the iptable rules:
>
>
>
> [r...@tel ~]# service iptables -L
> Usage: /etc/init.d/iptables
> {start|stop|restart|condrestart|status|panic|save} [r...@tel ~]#
> iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> INVALID,NEW,RELATED,ESTABLISHED,UNTRACKED ACCEPT all -- anywhere
> anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:http
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> ACCEPT tcp -- anywhere anywhere tcp dpt:upnotifyp
> ACCEPT tcp -- anywhere anywhere tcp dpt:https
> ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp
> ACCEPT udp -- anywhere anywhere udp dpt:4520
> ACCEPT udp -- anywhere anywhere udp dpt:iax
> ACCEPT udp -- anywhere anywhere udp dpt:sip
> ACCEPT udp -- anywhere anywhere udp dpt:5090
> ACCEPT udp -- anywhere anywhere udp dpts:ndmp:dnp
> ACCEPT udp -- anywhere anywhere udp dpt:ntp
> ACCEPT udp -- anywhere anywhere udp dpt:tftp
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> ACCEPT icmp -- anywhere anywhere icmp echo-request
> DROP all -- localhost anywhere
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> INVALID,NEW,RELATED,ESTABLISHED,UNTRACKED
>
>
> Following is sip info from Asterisk:
>
>
>
> tel*CLI> sip show peers
> Name/username Host Dyn Nat ACL Port Status
> Spikko/myusername 82.80.252.29 5090 Unmonitored
> 4 sip peers [Monitored: 1 online, 1 offline Unmonitored: 2 online, 0
> offline]
>
>
>
> tel*CLI> sip show registry
> Host dnsmgr Username Refresh State Reg.Time
> 82.80.252.29:5060 N myusername 120 Request Sent
> 1 SIP registrations.
>
>
>
>
> Could they be coming back at UDP port other than 10000:20000? I think
> it doesn't even involve UDP at this point and it's a SIP problem.
> Should someting be done to Asterisk due to this 5090 port?
>
>
>
> The trunk settings was tested on other server with iptables disabled
> and it works just flawlesly so it's not a trunk settings issue or
> authorization. I even disabled iptables on this VPS and also flushed
> it but it was frutile.
>
>
>
> Any input is appreciated.
>
>
>
> Thanks,
>
> Bruce
>
>
>
> _________________________________________________________________
> Learn more ways to connect with your buddies now
> http://go.microsoft.com/?linkid=9734388
--
John Van Ostrand
CTO, co-CEO
Net Direct Inc.
564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6
Ph: 866-883-1172 x5102
Fx: 519-883-8533
Linux Solutions / IBM Hardware
--
John Van Ostrand
CTO, co-CEO
Net Direct Inc.
564 Weber St. N. Unit 12, Waterloo, ON N2L 5C6
Ph: 866-883-1172 x5102
Fx: 519-883-8533
Linux Solutions / IBM Hardware
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
