Hello
I Configure shorewall for a Asterisk server.
Need to add on /etc/shorewall/start
rmmod nf_nat_sip &> /dev/null
rmmod nf_conntrack_sip &> /dev/null
And works fine.
The only problem i detect its when i have a call stablished, , on the 30
minutes mark, the call is down, and need to do another call
Configuration its on a Centos 6.5 Final and kernel 2.6.32-431.17.1, Shorewall
4.5.4
I Send the parts of shorewall dump related to the modules and nfconntrack, i
understand its something generic with tcp connections or nf_conntraf (netfilter)
Thanks in advance
Regards
Victor
/proc
/proc/version = Linux version 2.6.32-431.17.1.el6.x86_64
([email protected]) (gcc version 4.4.7 20120313 (Red Hat
4.4.7-4) (GCC) ) #1 SMP Wed May 7 23:32:49 UTC 2014
/proc/sys/net/ipv4/ip_forward = 1
/proc/sys/net/ipv4/icmp_echo_ignore_all = 0
/proc/sys/net/ipv4/conf/all/proxy_arp = 0
/proc/sys/net/ipv4/conf/all/arp_filter = 0
/proc/sys/net/ipv4/conf/all/arp_ignore = 0
/proc/sys/net/ipv4/conf/all/rp_filter = 0
/proc/sys/net/ipv4/conf/all/log_martians = 0
/proc/sys/net/ipv4/conf/default/proxy_arp = 0
/proc/sys/net/ipv4/conf/default/arp_filter = 0
/proc/sys/net/ipv4/conf/default/arp_ignore = 0
/proc/sys/net/ipv4/conf/default/rp_filter = 0
/proc/sys/net/ipv4/conf/default/log_martians = 1
/proc/sys/net/ipv4/conf/eth0/proxy_arp = 0
/proc/sys/net/ipv4/conf/eth0/arp_filter = 0
/proc/sys/net/ipv4/conf/eth0/arp_ignore = 0
/proc/sys/net/ipv4/conf/eth0/rp_filter = 0
/proc/sys/net/ipv4/conf/eth0/log_martians = 1
/proc/sys/net/ipv4/conf/lo/proxy_arp = 0
/proc/sys/net/ipv4/conf/lo/arp_filter = 0
/proc/sys/net/ipv4/conf/lo/arp_ignore = 0
/proc/sys/net/ipv4/conf/lo/rp_filter = 0
/proc/sys/net/ipv4/conf/lo/log_martians = 1
/proc/sys/net/ipv4/conf/tun3/proxy_arp = 0
/proc/sys/net/ipv4/conf/tun3/arp_filter = 0
/proc/sys/net/ipv4/conf/tun3/arp_ignore = 0
/proc/sys/net/ipv4/conf/tun3/rp_filter = 0
/proc/sys/net/ipv4/conf/tun3/log_martians = 1
Modules
ip_set 30977 1 xt_set
iptable_filter 2793 1
iptable_mangle 3349 1
iptable_nat 6158 0
iptable_raw 2264 0
ip_tables 17831 4
iptable_raw,iptable_nat,iptable_mangle,iptable_filter
ipt_addrtype 2153 5
ipt_ah 1247 0
ipt_CLUSTERIP 6796 0
ipt_ecn 1507 0
ipt_ECN 1955 0
ipt_LOG 5845 9
ipt_MASQUERADE 2466 0
ipt_NETMAP 1832 0
ipt_REDIRECT 1840 0
ipt_REJECT 2351 4
ipt_ULOG 10765 0
nf_conntrack 79758 32
xt_connlimit,ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_conntrack_snmp,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_sane,nf_conntrack_tftp,nf_conntrack_proto_udplite,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_broadcast,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_conntrack_amanda 2979 1 nf_nat_amanda
nf_conntrack_broadcast 1471 2 nf_conntrack_snmp,nf_conntrack_netbios_ns
nf_conntrack_ftp 12913 1 nf_nat_ftp
nf_conntrack_h323 67696 1 nf_nat_h323
nf_conntrack_ipv4 9506 16 iptable_nat,nf_nat
nf_conntrack_irc 5530 1 nf_nat_irc
nf_conntrack_netbios_ns 1323 0
nf_conntrack_netlink 17392 0
nf_conntrack_pptp 12166 1 nf_nat_pptp
nf_conntrack_proto_gre 7003 1 nf_conntrack_pptp
nf_conntrack_proto_sctp 12482 0
nf_conntrack_proto_udplite 3348 0
nf_conntrack_sane 5716 0
nf_conntrack_snmp 1651 1 nf_nat_snmp_basic
nf_conntrack_tftp 4878 1 nf_nat_tftp
nf_defrag_ipv4 1483 2 xt_TPROXY,nf_conntrack_ipv4
nf_defrag_ipv6 11156 1 xt_TPROXY
nf_nat 22759 11
ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,iptable_nat
nf_nat_amanda 1277 0
nf_nat_ftp 3507 0
nf_nat_h323 8830 0
nf_nat_irc 1883 0
nf_nat_pptp 4653 0
nf_nat_proto_gre 3028 1 nf_nat_pptp
nf_nat_snmp_basic 8553 0
nf_nat_tftp 987 0
nf_tproxy_core 1332 1 xt_TPROXY,[permanent]
xt_AUDIT 3064 0
xt_CLASSIFY 1069 0
xt_comment 1034 9
xt_connlimit 3238 0
xt_connmark 1347 0
xt_CONNMARK 1507 0
xt_conntrack 2776 13
xt_dccp 2215 0
xt_dscp 1831 0
xt_DSCP 2279 0
xt_hashlimit 9685 0
xt_helper 1497 0
xt_iprange 2312 0
xt_length 1322 0
xt_limit 2118 0
xt_mac 1118 0
xt_mark 1057 0
xt_MARK 1057 1
xt_multiport 2700 2
xt_NFLOG 1195 0
xt_NFQUEUE 2213 0
xt_owner 1252 0
xt_physdev 1741 0
xt_pkttype 1194 0
xt_policy 2616 0
xt_realm 1060 0
xt_recent 7932 0
xt_set 4032 0
xt_state 1492 0
xt_statistic 1524 0
xt_tcpmss 1607 0
xt_time 2183 0
xt_TPROXY 9249 0
Shorewall has detected the following iptables/netfilter capabilities:
NAT (NAT_ENABLED): Available
Packet Mangling (MANGLE_ENABLED): Available
Multi-port Match (MULTIPORT): Available
Extended Multi-port Match (XMULIPORT): Available
Connection Tracking Match (CONNTRACK_MATCH): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH): Available
Packet Type Match (USEPKTTYPE): Available
Policy Match (POLICY_MATCH): Available
Physdev Match (PHYSDEV_MATCH): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Packet length Match (LENGTH_MATCH): Available
IP range Match(IPRANGE_MATCH): Available
Recent Match (RECENT_MATCH): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
CONNMARK Target (CONNMARK): Available
Extended CONNMARK Target (XCONNMARK): Available
Connmark Match (CONNMARK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Raw Table (RAW_TABLE): Available
Rawpost Table (RAWPOST_TABLE): Not available
IPP2P Match (IPP2P_MATCH): Not available
CLASSIFY Target (CLASSIFY_TARGET): Available
Extended REJECT (ENHANCED_REJECT): Available
Repeat match (KLUDGEFREE): Available
MARK Target (MARK): Available
Extended MARK Target (XMARK): Available
Extended MARK Target 2 (EXMARK): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Comments (COMMENTS): Available
Address Type Match (ADDRTYPE): Available
TCPMSS Match (TCPMSS_MATCH): Available
Hashlimit Match (HASHLIMIT_MATCH): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Realm Match (REALM_MATCH): Available
Helper Match (HELPER_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Time Match (TIME_MATCH): Available
Goto Support (GOTO_TARGET): Available
LOGMARK Target (LOGMARK_TARGET): Not available
IPMARK Target (IPMARK_TARGET): Not available
LOG Target (LOG_TARGET): Available
ULOG Target (ULOG_TARGET): Available
NFLOG Target (NFLOG_TARGET): Available
Persistent SNAT (PERSISTENT_SNAT): Available
TPROXY Target (TPROXY_TARGET): Available
FLOW Classifier (FLOW_FILTER): Available
fwmark route mask (FWMARK_RT_MASK): Available
Mark in any table (MARK_ANYWHERE): Available
Header Match (HEADER_MATCH): Not available
ACCOUNT Target (ACCOUNT_TARGET): Not available
AUDIT Target (AUDIT_TARGET): Available
ipset V5 (IPSET_V5): Not available
Condition Match (CONDITION_MATCH): Not available
Statistic Match (STATISTIC_MATCH): Available
IMQ Target (IMQ_TARGET): Not available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Geo IP match: Not available
iptables -S (IPTABLES_S): Available
Basic Filter (BASIC_FILTER): Available
CT Target (CT_TARGET): Not available
Traffic Control
Device eth0:
qdisc mq 0: root
Sent 1346296381 bytes 11623838 pkt (dropped 0, overlimits 0 requeues 7)
rate 0bit 0pps backlog 0b 0p requeues 7
class mq :1 root
Sent 842127610 bytes 5697988 pkt (dropped 0, overlimits 0 requeues 1)
backlog 0b 0p requeues 1
class mq :2 root
Sent 504168771 bytes 5925850 pkt (dropped 0, overlimits 0 requeues 6)
backlog 0b 0p requeues 6
Device tun3:
qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1
1 1
Sent 38445759 bytes 443154 pkt (dropped 0, overlimits 0 requeues 0)
rate 0bit 0pps backlog 0b 0p requeues 0
TC Filters
Device eth0:
Device tun3:
****************************************************************************
This e-mail has been scanned by comendo.com and does not contain virus.
****************************************************************************
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
