Tom,
thanks for your help. See below.
Le 18/06/2017 à 22:37, Tom Eastep a écrit :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 06/18/2017 12:04 PM, Ian Jones wrote:
Hello. I have installed shorewall as a nat router for my Asterisk
PBX on Debian 8.8 from the Debian package.
shorewall version 4.6.4.3
(I have replaced my public IP address with xx):
ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever
preferred_lft forever inet6 ::1/128 scope host valid_lft forever
preferred_lft forever 2: eth-intern:
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000 link/ether 4c:cc:6a:24:8f:be brd
ff:ff:ff:ff:ff:ff inet 192.168.71.30/24 brd 192.168.71.255 scope
global eth-intern valid_lft forever preferred_lft forever inet6
fe80::4ecc:6aff:fe24:8fbe/64 scope link valid_lft forever
preferred_lft forever 3: eth-ext1: <BROADCAST,MULTICAST> mtu 1500
qdisc noop state DOWN group default qlen 1000 link/ether
00:26:55:d4:a5:f4 brd ff:ff:ff:ff:ff:ff 4: eth-ext0:
<BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP
group default qlen 1000 link/ether 00:26:55:d4:a5:f5 brd
ff:ff:ff:ff:ff:ff inet xx.xx.xx.xx/29 brd xx.xx.xx.xx scope global
eth-ext0 valid_lft forever preferred_lft forever inet6
::xxx:xxx:xxx:xxx/64 scope global mngtmpaddr dynamic valid_lft
3598sec preferred_lft 3598sec inet6 xxx::xxx:xxx:xxx:xxx/64 scope
link valid_lft forever preferred_lft forever
ip route show default via xx.xx.xx.xx dev eth-ext0 10.0.0.0/8 via
192.168.71.6 dev eth-intern xx.xx.xx.xx/29 dev eth-ext0 proto
kernel scope link src xx.xx.xx.xx 192.168.71.0/24 dev eth-intern
proto kernel scope link src 192.168.71.30
Shorewall is running on 192.168.71.30, and Asterisk on
192.168.71.8. So, in rules I have:
# sip SIP(DNAT) net loc:192.168.71.8:5060 udp
5060 SIP(DNAT) net loc:192.168.71.8:5060 tcp
5060 # rtp DNAT net loc:192.168.71.8:10000-10020
udp 10000:10020 # stun DNAT net
loc:192.168.71.8:3478 udp 3478 # iax2 DNAT net
loc:192.168.71.8:4569 udp 4569
This all works fine - for a few hours! Then all the external
Asterisk peers become unreachable and remain so. I can also
reproduce the problem by restarting Asterisk, or by reloading
sip.conf. I can remedy the problem by stopping the external
interface for a couple of minutes, then restarting it. The Asterisk
peers become reachable again and all is well, for a few hours.
There is no problem with IAX, the IAX peers remain reachable.
I also have a Cisco DSL router, and when I route all the Asterisk
traffic through that, it works fine and everything is very stable
with the same Asterisk configuration, so it seems to be a problem
with the shorewall router. I have tried turning off the sip helper
by setting AUTOHELPERS=No and
DONT_LOAD=nf_nat_sip,nf_conntrack_sip, but that didn't help.
Any help appreciated!
Any sort of Shorewall configuration issue would show up more or less
immediately, not after several hours.
It's easy to reproduce - I just have to restart Asterisk.
Have you looked at the eth-eth0 stats when this problem occurs (ip -s
link ls dev eth-eth0)? Also, check your log for messages indicating
that the conntrack table is full.
ip -s link ls dev eth-ext0
4: eth-ext0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state
UP mode DEFAULT group default qlen 1000
link/ether 00:26:55:d4:a5:f5 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
57773389 108860 0 0 0 7873
TX: bytes packets errors dropped carrier collsns
28459124 92927 0 0 0 0
There's nothing in 'shorewall show log' other than dropped packets (none
from the external peers).
If those tips don't help, capture a 'shorewall dump' the next time
this occurs and forward it to me; I'll see if I can see anything that
would help pin this down.
Many thanks - I'm sending the dump to you separately.
Regards
Ian
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJZRuR5AAoJEJbms/JCOk0QJRAQAJuexkMgEanYKeu7tOdt9mJ2
Pd4t63Y4S+n1MPhbKMaMxl5kh7ZTIQzYdZ+t3jrMv1+KOq8dSByJxdrpCCfmI3tn
TYE2O0pGAaQshbuEp4XnesMfu6a/dg1/NXG37uE1jbbI0X+7EgKqTiyzhrQVD0TZ
0MycUQzlOVmX8mNXwRUj+6xkIQb4Y2NjhAtaMWq0vUYOPr0ZHoKr9Sal9w5C1MnU
K4POhXCOCqkjEIIoT88BihqBtf0Ax/yZrRBFGkcQdIFq7/MgTXdqqz3ee2PgPDph
GkZ6MuY9C5V4CwavLCxeAJIHpVmhQZl0qhjqC0zQI3DmwZIgy1Vreglv4DVXnZ3g
yIdd792ZjQ5Os5OoQxIEe5f4us3dMF6E2Ma7YGSaIEYtQMGY/EpQSUe0WC1NaygB
v3te6bQzr5/kxa9mx1B4eGi0LUbcp0wY4UDhG4wvFVOrLET67HOdpA85baBuSk0R
n3H2QYrkAJAl04Q7/gHjQlgAhPBLY13Qg9ZSgemnCkLzLplTTbQcbXP50cbKO75/
BHh43kyGroRfNlwvOM1wKIxAoJibG7V6N48RMQW2QI+Yv0f2jF1rMQDzlxOq8Ycn
DlyvsotRB+WcRliFyWCf0ocOTt6CXiC326iL+wuRGmz8Fg/ghy5WAjbOpltApqdb
nB4MgZdWzRNUGZ63t94C
=vDou
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
