Hi Tom, What is the output of:
iptables -nL |grep ACCEPT G On 03/14/2011 07:25 PM, Tom Mazzotta wrote: > I am running astlinux-0.7.7 (Asterisk 1.4.40) on a Soekris box behind my > ISP's cable router on my LAN. I am forwarding all SIP& RTP packets from this > router to the external interface of astlinux. All of my phones connect to > astlinux through the external interface of the Soekris box as well. Using > Arno, I setup rules to allow inbound SIP/RTP from my LAN clients and my SIP > provider. In the rules for the SIP provider, I used the hostname of their > server as opposed to an IP address. While my system was booting, I saw the > following messages displayed on the console: > > ------------------------------ > Allowing 0/0 for TCP port(s): 22 > Allowing 0/0 for TCP port(s): 443 > Allowing 192.168.1.0/24 for UDP port(s): 10000:10100 > Allowing 192.168.1.0/24 for UDP port(s): 4569 > Allowing 192.168.1.0/24 for UDP port(s): 5060 > Allowing inbound23.vitelity.net for UDP port(s): 10000:10100 > /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 > -p udp --dport 10000:10100 -j ACCEPT > ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found > Try `iptables -h' or 'iptables --help' for more information. > Allowing inbound23.vitelity.net for UDP port(s): 5060 > /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 > -p udp --dport 5060 -j ACCEPT > ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found > Try `iptables -h' or 'iptables --help' for more information. > > [cut] > > Mar 14 19:57:22 WARNING: Not all firewall rules are applied. > ------------------------------ > > There seems to be a problem using hostnames in the rules. Since then I have > substituted the IP addresses in my rules to resolve the errors (although I > would really prefer to use hostnames). However, it looks like Arno permitted > SIP connections from ANY host, because the adaptive ban plugin logged the > following messages to /var/log: > > pbx log # cat messages > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"604"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"605"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"606"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"607"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"608"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"609"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"610"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"611"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"612"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"613"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"614"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > Mar 8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: > chan_sip.c:16796 in handle_request_register: Registration from > '"615"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching > peer found > ... > > Apparently, my box was under attack by a system at 173.192.216.91. > > So if hostnames are not supported in the Arno rules and those rules failed to > execute, I would have thought that all SIP connections outside of my LAN > would have been blocked, however, it seems that wasn't the case. Is this the > expected behavior of the system or have I misconfigured something? > > > -tm > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > -- =========================== Gene Cooper Sonora Communications, Inc. 936 W. Prince Road Tucson, AZ 85705 (520) 407-2000 x101 (520) 888-4060 fax gcoo...@sonoracomm.com ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.