Tom, While iptables supports hostnames, AstLinux does not at startup since DNS is not plugged in when the firewall is run at startup. The developers have talked about this in the past and voted to leave it as is. Though this could be made to work, there are reasons to stick with numeric addresses. For now, please use numeric IP addresses in the firewall.
On to the next, you have me puzzled, I don't see how UDP 5060 from 173.192.216.91 is making it in. What is the results of: $ arno-iptables-firewall restart (obscure any IP you don't want public) Is your AstLInux box configured with an internal LAN (two interfaces) or single interface (WAN) ? Lonnie On Mar 14, 2011, at 9:25 PM, Tom Mazzotta wrote: > I am running astlinux-0.7.7 (Asterisk 1.4.40) on a Soekris box behind my > ISP's cable router on my LAN. I am forwarding all SIP & RTP packets from this > router to the external interface of astlinux. All of my phones connect to > astlinux through the external interface of the Soekris box as well. Using > Arno, I setup rules to allow inbound SIP/RTP from my LAN clients and my SIP > provider. In the rules for the SIP provider, I used the hostname of their > server as opposed to an IP address. While my system was booting, I saw the > following messages displayed on the console: > > ------------------------------ > Allowing 0/0 for TCP port(s): 22 > Allowing 0/0 for TCP port(s): 443 > Allowing 192.168.1.0/24 for UDP port(s): 10000:10100 > Allowing 192.168.1.0/24 for UDP port(s): 4569 > Allowing 192.168.1.0/24 for UDP port(s): 5060 > Allowing inbound23.vitelity.net for UDP port(s): 10000:10100 > /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 > -p udp --dport 10000:10100 -j ACCEPT > ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found > Try `iptables -h' or 'iptables --help' for more information. > Allowing inbound23.vitelity.net for UDP port(s): 5060 > /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 > -p udp --dport 5060 -j ACCEPT > ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found > Try `iptables -h' or 'iptables --help' for more information. > > [cut] > > Mar 14 19:57:22 WARNING: Not all firewall rules are applied. > ------------------------------ > > There seems to be a problem using hostnames in the rules. Since then I have > substituted the IP addresses in my rules to resolve the errors (although I > would really prefer to use hostnames). However, it looks like Arno permitted > SIP connections from ANY host, because the adaptive ban plugin logged the > following messages to /var/log: > > pbx log # cat messages > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"604"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"605"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"606"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"607"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"608"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"609"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"610"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"611"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"612"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"613"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"614"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"615"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > ... > > Apparently, my box was under attack by a system at 173.192.216.91. > > So if hostnames are not supported in the Arno rules and those rules failed to > execute, I would have thought that all SIP connections outside of my LAN > would have been blocked, however, it seems that wasn't the case. Is this the > expected behavior of the system or have I misconfigured something? > > > -tm > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
