On Thu, 2008-05-01 at 16:53 -0700, Steven Kath wrote: > > > > There only one line in my script that uses SIP: > > > > grep SIP firewall-masq > > $IPT -t nat -A PREROUTING -i external -p udp --dport 5060 -j LOG > > --log-prefix "SIP-BEFORE: " > > > > And it's run first: > > > > sh -x firewall-masq > > + IPT=/sbin/iptables > > + /sbin/iptables -F > > + /sbin/iptables -X > > + /sbin/iptables -t nat -A PREROUTING -i external -p udp --dport 5060 -j > > LOG --log-prefix 'SIP-BEFORE: ' > > ........... > > > > > > I don't really understand this output: > > > > iptables -L -n -v -t nat | grep SIP > > 2 262 LOG udp -- * * 0.0.0.0/0 > > 0.0.0.0/0 udp dpt:5060 LOG flags 0 level 4 prefix `SIP-BEFORE: > > ' > > 144K 24M LOG udp -- * * 0.0.0.0/0 > > 0.0.0.0/0 LOG flags 0 level 4 prefix `SIP-BEFORE: ' > > 41816 5117K LOG udp -- external * 0.0.0.0/0 > > 0.0.0.0/0 LOG flags 0 level 4 prefix `SIP-BEFORE: ' > > 0 0 LOG udp -- external * 0.0.0.0/0 > > 0.0.0.0/0 udp dpt:5060 LOG flags 0 level 4 prefix `SIP-BEFORE: > > ' > > 0 0 LOG udp -- external * 0.0.0.0/0 > > 0.0.0.0/0 udp dpt:5060 LOG flags 0 level 4 prefix `SIP-BEFORE: > > ' > ... > > It looks like your nat table isn't getting flushed. > > Have you tried running 'iptables -t nat -F' before firewall-masq or adding > that to the start of the script? Yeah, I think that you really need flush the NAT table before. In this case you can see that the second and third rules in you NAT table are logging every UDP packet (you can see that by first and second columns: packets/bytes). Regards, -- Diego Evaristo de Lacerda (diegolacerda@xxxxxxxxx) Project Analyst LPIC Level III & Redhat Certified Engineer & Cisco Certified Network Associates URL: conectado.motime.com
Attachment:
signature.asc
Description: This is a digitally signed message part
