Hi Jim, Huh. That's scary yet interesting. I dumped CentOS a in favor of Debian for my Opensips/Mediaproxy adventures a while back because in many ways, things "just work better". I can't say I had these issues in CentOS, however. Both CentOS and Mediaproxy were at significantly older versions. Perhaps that's related.
On my Debian (lenny) relays, I restore the iptables rules from a file as a function of the interface (pre-up). Seems to work fairly well. Here's most of the iptables-save output from the relay. This matches the iptables.rules file I restore with the exception of the snipped parts and the counters: # Generated by iptables-save v1.4.2 on Thu Oct 20 12:56:50 2011 *raw :PREROUTING ACCEPT [24582234842:4809548355202] :OUTPUT ACCEPT [154571950:31256363599] COMMIT # Completed on Thu Oct 20 12:56:50 2011 # Generated by iptables-save v1.4.2 on Thu Oct 20 12:56:50 2011 *nat :PREROUTING ACCEPT [12968687:1476480376] :POSTROUTING ACCEPT [1936336:370965482] :OUTPUT ACCEPT [1936336:370965482] COMMIT # Completed on Thu Oct 20 12:56:50 2011 # Generated by iptables-save v1.4.2 on Thu Oct 20 12:56:50 2011 *mangle :PREROUTING ACCEPT [24582237485:4809548896216] :INPUT ACCEPT [203005278:39797729208] :FORWARD ACCEPT [24379232207:4769751167008] :OUTPUT ACCEPT [154572287:31256447734] :POSTROUTING ACCEPT [24531204592:4800422567952] -A POSTROUTING -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 0x2e COMMIT # Completed on Thu Oct 20 12:56:50 2011 # Generated by iptables-save v1.4.2 on Thu Oct 20 12:56:50 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [24379232256:4769751176468] :OUTPUT ACCEPT [151972385:30671400944] [snip] -A INPUT -p udp -m udp --dport 16384:32768 -j ACCEPT [snip] -A INPUT -j DROP COMMIT # Completed on Thu Oct 20 12:56:50 2011 As far I can tell that's rather straight forward. As you might suspect I declare 16384:32768 in the relay's config. I suspect there's nothing in there surprising to you. - Jeff On Oct 20, 2011, at 11:44 AM, JimDoesVoip wrote: > Hi Jeff, > Thanks. I looked at this earlier as well. I swapped the REJECT line out > for a blanked ACCEPT with forwards and it didn't seem to have an effect. I > keep wondering if there is something in raw that needs to be put in place > based upon the messages from iptables as it exists. I took another look > based on your note and I think I found something meaningful. > > iptables (at least on centos) appears to load different tables > independently when you use the --list option. So I started a call with only > the raw table loaded. no audio. I then stopped iptables and had audio. I > then loaded filter and nat tables and each time still had audio. Then as > the call was going I loaded the raw table, and the call still had audio. I > stopped the call and started a new one: no audio. Unloaded the raw table; > audio. > > # iptables -t raw --list > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > # /etc/init.d/iptables stop > iptables: Flushing firewall rules: [ OK ] > iptables: Setting chains to policy ACCEPT: raw [ OK ] > iptables: Unloading modules: [ OK ] > # > > > So it feels likely that the raw part of my iptables config is blocking > things. Perhaps, even though it says it is defaulting to ACCEPT, it is > blocking packets from getting to conntrack rules setup by media-relay? > > Thanks, > > Jim > > > > > Jeff Pyle wrote: >> >> Jim, >> >> One difference between my iptables setup and yours on my relay is I allow >> the FORWARD to go, default policy ACCEPT. Perhaps this is relevant. >> >> >> - Jeff >> >> >> > > > -- > View this message in context: > http://opensips-open-sip-server.1449251.n2.nabble.com/media-relay-not-relaying-when-iptables-running-tp6911797p6913422.html > Sent from the OpenSIPS - Users mailing list archive at Nabble.com. > > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
