Hi Tom,

What is the output of:

iptables -nL |grep ACCEPT

G

On 03/14/2011 07:25 PM, Tom Mazzotta wrote:
> I am running astlinux-0.7.7 (Asterisk 1.4.40) on a Soekris box behind my 
> ISP's cable router on my LAN. I am forwarding all SIP&  RTP packets from this 
> router to the external interface of astlinux. All of my phones connect to 
> astlinux through the external interface of the Soekris box as well. Using 
> Arno, I setup rules to allow inbound SIP/RTP from my LAN clients and my SIP 
> provider. In the rules for the SIP provider, I used the hostname of their 
> server as opposed to an IP address. While my system was booting, I saw the 
> following messages displayed on the console:
>
> ------------------------------
>   Allowing 0/0 for TCP port(s): 22
>   Allowing 0/0 for TCP port(s): 443
>   Allowing 192.168.1.0/24 for UDP port(s): 10000:10100
>   Allowing 192.168.1.0/24 for UDP port(s): 4569
>   Allowing 192.168.1.0/24 for UDP port(s): 5060
>   Allowing inbound23.vitelity.net for UDP port(s): 10000:10100
> /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 
> -p udp --dport 10000:10100 -j ACCEPT
> ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found
> Try `iptables -h' or 'iptables --help' for more information.
>   Allowing inbound23.vitelity.net for UDP port(s): 5060
> /usr/sbin/iptables -A EXT_INPUT_CHAIN -i + -s inbound23.vitelity.net -d 0/0 
> -p udp --dport 5060 -j ACCEPT
> ERROR (2): iptables v1.4.9: host/network `inbound23.vitelity.net' not found
> Try `iptables -h' or 'iptables --help' for more information.
>
> [cut]
>
> Mar 14 19:57:22 WARNING: Not all firewall rules are applied.
> ------------------------------
>
> There seems to be a problem using hostnames in the rules. Since then I have 
> substituted the IP addresses in my rules to resolve the errors (although I 
> would really prefer to use hostnames). However, it looks like Arno permitted 
> SIP connections from ANY host, because the adaptive ban plugin logged the 
> following messages to /var/log:
>
> pbx log # cat messages
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"604"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"605"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"606"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"607"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"608"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"609"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"610"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"611"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"612"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"613"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"614"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> Mar  8 06:58:47 pbx local0.notice asterisk[2957]: NOTICE[2957]: 
> chan_sip.c:16796 in handle_request_register: Registration from 
> '"615"<sip:6...@192.168.1.xxx>' failed for '173.192.216.91' - No matching 
> peer found
> ...
>
> Apparently, my box was under attack by a system at 173.192.216.91.
>
> So if hostnames are not supported in the Arno rules and those rules failed to 
> execute, I would have thought that all SIP connections outside of my LAN 
> would have been blocked, however, it seems that wasn't the case. Is this the 
> expected behavior of the system or have I misconfigured something?
>
>
> -tm
>
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.
>

-- 

===========================
Gene Cooper
Sonora Communications, Inc.
936 W. Prince Road
Tucson, AZ  85705

(520) 407-2000 x101
(520) 888-4060 fax

gcoo...@sonoracomm.com

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to