-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 06/18/2017 12:04 PM, Ian Jones wrote: > Hello. I have installed shorewall as a nat router for my Asterisk > PBX on Debian 8.8 from the Debian package. > > shorewall version 4.6.4.3 > > (I have replaced my public IP address with xx): > > ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue > state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd > 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever > preferred_lft forever inet6 ::1/128 scope host valid_lft forever > preferred_lft forever 2: eth-intern: > <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state > UP group default qlen 1000 link/ether 4c:cc:6a:24:8f:be brd > ff:ff:ff:ff:ff:ff inet 192.168.71.30/24 brd 192.168.71.255 scope > global eth-intern valid_lft forever preferred_lft forever inet6 > fe80::4ecc:6aff:fe24:8fbe/64 scope link valid_lft forever > preferred_lft forever 3: eth-ext1: <BROADCAST,MULTICAST> mtu 1500 > qdisc noop state DOWN group default qlen 1000 link/ether > 00:26:55:d4:a5:f4 brd ff:ff:ff:ff:ff:ff 4: eth-ext0: > <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP > group default qlen 1000 link/ether 00:26:55:d4:a5:f5 brd > ff:ff:ff:ff:ff:ff inet xx.xx.xx.xx/29 brd xx.xx.xx.xx scope global > eth-ext0 valid_lft forever preferred_lft forever inet6 > ::xxx:xxx:xxx:xxx/64 scope global mngtmpaddr dynamic valid_lft > 3598sec preferred_lft 3598sec inet6 xxx::xxx:xxx:xxx:xxx/64 scope > link valid_lft forever preferred_lft forever > > ip route show default via xx.xx.xx.xx dev eth-ext0 10.0.0.0/8 via > 192.168.71.6 dev eth-intern xx.xx.xx.xx/29 dev eth-ext0 proto > kernel scope link src xx.xx.xx.xx 192.168.71.0/24 dev eth-intern > proto kernel scope link src 192.168.71.30 > > Shorewall is running on 192.168.71.30, and Asterisk on > 192.168.71.8. So, in rules I have: > > # sip SIP(DNAT) net loc:192.168.71.8:5060 udp > 5060 SIP(DNAT) net loc:192.168.71.8:5060 tcp > 5060 # rtp DNAT net loc:192.168.71.8:10000-10020 > udp 10000:10020 # stun DNAT net > loc:192.168.71.8:3478 udp 3478 # iax2 DNAT net > loc:192.168.71.8:4569 udp 4569 > > This all works fine - for a few hours! Then all the external > Asterisk peers become unreachable and remain so. I can also > reproduce the problem by restarting Asterisk, or by reloading > sip.conf. I can remedy the problem by stopping the external > interface for a couple of minutes, then restarting it. The Asterisk > peers become reachable again and all is well, for a few hours. > > There is no problem with IAX, the IAX peers remain reachable. > > I also have a Cisco DSL router, and when I route all the Asterisk > traffic through that, it works fine and everything is very stable > with the same Asterisk configuration, so it seems to be a problem > with the shorewall router. I have tried turning off the sip helper > by setting AUTOHELPERS=No and > DONT_LOAD=nf_nat_sip,nf_conntrack_sip, but that didn't help. > > Any help appreciated! >
Any sort of Shorewall configuration issue would show up more or less immediately, not after several hours. Have you looked at the eth-eth0 stats when this problem occurs (ip -s link ls dev eth-eth0)? Also, check your log for messages indicating that the conntrack table is full. If those tips don't help, capture a 'shorewall dump' the next time this occurs and forward it to me; I'll see if I can see anything that would help pin this down. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJZRuR5AAoJEJbms/JCOk0QJRAQAJuexkMgEanYKeu7tOdt9mJ2 Pd4t63Y4S+n1MPhbKMaMxl5kh7ZTIQzYdZ+t3jrMv1+KOq8dSByJxdrpCCfmI3tn TYE2O0pGAaQshbuEp4XnesMfu6a/dg1/NXG37uE1jbbI0X+7EgKqTiyzhrQVD0TZ 0MycUQzlOVmX8mNXwRUj+6xkIQb4Y2NjhAtaMWq0vUYOPr0ZHoKr9Sal9w5C1MnU K4POhXCOCqkjEIIoT88BihqBtf0Ax/yZrRBFGkcQdIFq7/MgTXdqqz3ee2PgPDph GkZ6MuY9C5V4CwavLCxeAJIHpVmhQZl0qhjqC0zQI3DmwZIgy1Vreglv4DVXnZ3g yIdd792ZjQ5Os5OoQxIEe5f4us3dMF6E2Ma7YGSaIEYtQMGY/EpQSUe0WC1NaygB v3te6bQzr5/kxa9mx1B4eGi0LUbcp0wY4UDhG4wvFVOrLET67HOdpA85baBuSk0R n3H2QYrkAJAl04Q7/gHjQlgAhPBLY13Qg9ZSgemnCkLzLplTTbQcbXP50cbKO75/ BHh43kyGroRfNlwvOM1wKIxAoJibG7V6N48RMQW2QI+Yv0f2jF1rMQDzlxOq8Ycn DlyvsotRB+WcRliFyWCf0ocOTt6CXiC326iL+wuRGmz8Fg/ghy5WAjbOpltApqdb nB4MgZdWzRNUGZ63t94C =vDou -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
