Hi. This sounds plausible and explains why it works at the moment... I just changed the IP of the asterisk box (no traffic then) and changed it back to the original one. Do you mean the ip_conntrack_sip package, which I disabled before or just the ip_conntrack module?
I already have shorewall-init on my gateway system and configured it now according to the manpage. But I have difficulties starting it... Do I have to disable the normal shorewall start script or do I need both? Greets, Martin. -----Ursprüngliche Nachricht----- Von: Tom Eastep [mailto:[email protected]] Gesendet: Dienstag, 19. Juli 2011 16:56 An: Shorewall Users Betreff: Re: [Shorewall-users] Problem with NAT and SIP traffic On Tue, 2011-07-19 at 01:34 +0200, Martin Krellmann wrote: > this topic was discussed in numerous places before. But I think my > problem is a bit different... > I have a Asterisk box which is supposed to register a trunk with > sipgate. It uses dns lookups to find out my external IP address, which > is correctly placed in the sip messages (I can see it on the Asterisk > CLI with some logging enabled). To sum it up, everything is set like > in many other discussions related to SIP problems. > > The gateway (CentOS 5.6 with Shorewall 4.4.19.2) should then masq the > related traffic, but it doesn't. It uses the private IP of the > Asterisk box as source address. Of course sipgate cannot ever answer the > request. > At the moment I have absolutely no idea what the problem is about... > All other traffic is masqueraded fine. I even removed the ip_nat_sip > and ip_conntrack_sip module and added it to DONT_LOAD (according to FAQ 77). > Additionally I have also added the DNAT rules for incoming SIP traffic. > > The network configuration is more or less as usual: > Asterisk Box <-LAN-1 (seth0)-> Gateway (NAT) <-(seth3) ISP-> Sipgate > Virtual Boxes<-LAN-2 (seth1)-> The systems in LAN 2 are not related to > any SIP traffic. > > I attached the output of "shorewall dump" to this email and copied the > line of a SIP packet: > > udp 17 29 src=192.168.10.240 dst=217.10.79.9 sport=5060 dport=5060 > packets=1166 bytes=554092 [UNREPLIED] src=217.10.79.9 > dst=192.168.10.240 sport=5060 dport=5060 packets=0 bytes=0 mark=0 > secmark=0 use=1 > > 217.10.79.9 is sipgate.de and 192.168.10.240 the Asterisk box on my > local network. > So what am I missing? This typically happens when there is an attempt by the Asterisk box to communicate with the gateway before Shorewall is started (before the NAT rules are in place). The solution is to install the conntrack package and use 'shorewall start -p' (or shorewall restart -p) and/or install and configure shorewall-init so that the firewall is closed prior to Shorewall being started during boot. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ __________ Hinweis von ESET NOD32 Antivirus, Signaturdatenbank-Version 6307 (20110719) __________ E-Mail wurde geprüft mit ESET NOD32 Antivirus. http://www.eset.com ------------------------------------------------------------------------------ Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
