Diego Lacerda wrote:
On Thu, 2008-05-01 at 16:53 -0700, Steven Kath wrote:
There only one line in my script that uses SIP:
grep SIP firewall-masq
$IPT -t nat -A PREROUTING -i external -p udp --dport 5060 -j LOG
--log-prefix "SIP-BEFORE: "
And it's run first:
sh -x firewall-masq
+ IPT=/sbin/iptables
+ /sbin/iptables -F
+ /sbin/iptables -X
+ /sbin/iptables -t nat -A PREROUTING -i external -p udp --dport 5060 -j
LOG --log-prefix 'SIP-BEFORE: '
...........
I don't really understand this output:
iptables -L -n -v -t nat | grep SIP
2 262 LOG udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 LOG flags 0 level 4 prefix `SIP-BEFORE:
'
144K 24M LOG udp -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `SIP-BEFORE: '
41816 5117K LOG udp -- external * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4 prefix `SIP-BEFORE: '
0 0 LOG udp -- external * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 LOG flags 0 level 4 prefix `SIP-BEFORE:
'
0 0 LOG udp -- external * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 LOG flags 0 level 4 prefix `SIP-BEFORE:
'
...
It looks like your nat table isn't getting flushed.
Have you tried running 'iptables -t nat -F' before firewall-masq or adding
that to the start of the script?
Yeah,
I think that you really need flush the NAT table before.
In this case you can see that the second and third rules in you NAT table are logging every UDP packet (you can see that by first and second columns: packets/bytes).
Regards,
Wow. That worked.
I always thought iptables -F flushed all the tables. Is there a command
that does flush all the tables? Cleans the slate completely?
sean
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
