I had those modules are disabled. My thoughts are since both boxes are in the same LAN, how can I rewrite the packets to be sent via eth1. That is from proxy's eth0 to other box eth1 to be redirected via its eth1 interface.
Secondly is there a way to track what's happening to the packets in iptables? Sort of a trace? > On 14 May 2015, at 23:44, Lee Brown <[email protected]> wrote: > >> On Thu, May 14, 2015 at 3:28 PM, Eric Koome <[email protected]> wrote: >> Hi all, >> >> I have two servers with public and private IP address running a sip proxy on >> eth0 and asterisk box on eth1. Each box is running Shorewall 4.5.21. Making >> calls within a server is fine but I would like the sip proxy to also use >> asterisk box on the other machine for load balancing. >> >> However for some reason calls and qualify OPTIONS packets are not being >> passed over asterisk box to the other sip proxy based on tcpdump and ngrep. >> I suspect my masquerade rules are to blame but after countless tweaking, >> this is failing me. >> >> Scenario (addresses have been scrambled) >> OPTIONS (qualify=yes) >> BOX 1 Asterisk ----------------> Sip Proxy >> 10.131.45.56 :5060 178.89.67.12:5060 >> OPTIONS >> BOX 2 Sip proxy ----------------> Asterisk >> 178.89.67.12:5060 10.131.45.56 :5060 >> >> These packets are not being answered with 200 OK. >> >> >> This is what I have in my configs: >> rules >> ACCEPT net $FW udp 5060 <------- Accept >> sip requests to sip proxy >> >> Policy >> loc net ACCEPT >> $FW net ACCEPT >> loc $FW ACCEPT >> $FW loc ACCEPT >> net all DROP info >> all all REJECT info >> >> masq >> BOX 1 >> INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK >> USER/ SWITCH ORIGINAL >> # GROUP DEST >> eth0:178.89.67.12 10.131.45.56 - udp 5060 <------- asterisk to >> proxy through eth0 >> >> BOX 2 >> INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK >> USER/ SWITCH ORIGINAL >> # GROUP DEST >> eth1:10.131.45.56 178.89.67.12 - udp 5060 <-------- proxy to >> asterisk through eth1 >> >> What am i missing? >> >> Eric > > Eric, > > On my CentOS 6.4 box (2.6.32-358.14.1.el6.x86_64) I found that > nf_conntrack_sip and nf_nat_sip caused problems with sip traffic > (silently dropping traffic) and I run without them. I was getting > random non connection issues (failed registration) before I removed > those modules. > CentOS tends to ship with older, sometimes incomplete modules so YMMV. > I don't have a proxy in my configuration. > > Hope that helps, > Lee > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
