My VoIP provider recently split their server pool from one server to a pools of servers. My iptables rules (particulary: conntracking ones) stop working; my rules was: root@vfwacpn1:~# iptables -vnL -t raw Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 118 81333 CT udp -- ens18 * 10.172.0.0/21 0.0.0.0/0 match-set sip.messagenet.it_a dst multiport dports 5060,5061 CT helper sip [...] where 'sip.messagenet.it_a' is a set (ipset) with the IP of sip.messagenet.it inside. In this way, a typical SIP session was: root@vfwacpn1:/etc/network# tshark -ni ens18 -f 'host 10.172.1.7' Running as user "root" and group "root". This could be dangerous. Capturing on 'ens18' 1 0.000000000 212.97.59.76 → 10.172.1.7 UDP 46 5061 → 5061 Len=4 2 5.175179711 92:68:28:81:1e:9e → 9a:67:e6:c4:1f:ee ARP 42 Who has 10.172.1.7? Tell 10.172.1.254 3 5.175692973 9a:67:e6:c4:1f:ee → 92:68:28:81:1e:9e ARP 42 10.172.1.7 is at 9a:67:e6:c4:1f:ee 4 11.790186903 10.172.1.7 → 212.97.59.76 SIP 604 Request: OPTIONS sip:sip.messagenet.it | 5 11.809489686 212.97.59.76 → 10.172.1.7 SIP 666 Status: 200 OK | 6 15.786333503 212.97.59.76 → 10.172.1.7 SIP/SDP 1326 Request: INVITE sip:202@10.172.1.7:5061 | 7 15.789126709 10.172.1.7 → 212.97.59.76 SIP 812 Status: 100 Trying | 8 15.944411484 10.172.1.7 → 212.97.59.76 SIP 828 Status: 180 Ringing | 9 16.910168496 9a:67:e6:c4:1f:ee → 92:68:28:81:1e:9e ARP 42 Who has 10.172.1.254? Tell 10.172.1.7 10 16.910202553 92:68:28:81:1e:9e → 9a:67:e6:c4:1f:ee ARP 42 10.172.1.254 is at 92:68:28:81:1e:9e 11 25.103626405 212.97.59.76 → 10.172.1.7 UDP 46 5061 → 5061 Len=4 12 41.793771381 10.172.1.7 → 212.97.59.76 SIP 764 Request: REGISTER sip:sip.messagenet.it:5061 (1 binding) | 13 41.813853175 212.97.59.76 → 10.172.1.7 SIP 732 Status: 200 OK (1 binding) | 14 45.926054588 10.172.1.7 → 212.97.59.76 SIP/SDP 1235 Status: 200 OK | 15 45.953153763 212.97.59.76 → 10.172.1.7 SIP 652 Request: ACK sip:202@10.172.1.7:5061 | 16 46.428107261 10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27010, Time=160, Mark 17 46.428260850 10.172.1.254 → 10.172.1.7 ICMP 102 Destination unreachable (Communication administratively filtered) 18 46.448437789 10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27011, Time=320 19 46.448571326 10.172.1.254 → 10.172.1.7 ICMP 102 Destination unreachable (Communication administratively filtered) 20 46.468450353 10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27012, Time=480 21 46.468561938 10.172.1.254 → 10.172.1.7 ICMP 102 Destination unreachable (Communication administratively filtered) 22 46.488464348 10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27013, Time=640 23 46.488576021 10.172.1.254 → 10.172.1.7 ICMP 102 Destination unreachable (Communication administratively filtered) 24 46.508439908 10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27014, Time=800 25 46.508545271 10.172.1.254 → 10.172.1.7 ICMP 102 Destination unreachable (Communication administratively filtered) 26 46.528491436 10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq=27015, Time=960 27 46.528580081 10.172.1.254 → 10.172.1.7 ICMP 102 Destination unreachable (Communication administratively filtered) Note the SIP traffic to 212.97.59.76 AKA sip.messagenet.it, and the RTP traffic to 193.227.104.40. I've looked at conntrack helper sip options: root@vfwacpn1:~# modinfo nf_conntrack_sip filename: /lib/modules/4.19.0-17-amd64/kernel/net/netfilter/nf_conntrack_sip.ko alias: nfct-helper-sip alias: ip_conntrack_sip description: SIP connection tracking helper author: Christian Hentschel <chentschel@xxxxxxxxxxxx> [...] parm: ports:port numbers of SIP servers (array of ushort) parm: sip_timeout:timeout for the master SIP session (uint) parm: sip_direct_signalling:expect incoming calls from registrar only (default 1) (int) parm: sip_direct_media:Expect Media streams between signalling endpoints only (default 1) (int) and seems that 'sip_direct_signalling' and 'sip_direct_media', if relaxed (put to 0) could be a solution. But i've found some documentation on SIP conntrack module, but found nothing. Someone here have some feedback? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)