nf_conntrack_sip problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I have some problems understanding nf_conntrack_sip. I want to
use it avoid having static entries for the rtp stream, as IMHO
those should be catched by a RELATED rules when nf_conntrack_sip
works properly.

I have a machine with a pppoe interface connected to the
internet, with asterisk running on it, and a small local network
behind it on eth1, where I want to force sip traffic going
through the local asterisk.

Unfortunately it doesn't work as expected. I use vanilla kernel
2.6.30. My iptable rules that do not work look like this:

# Generated by iptables-save v1.4.3.2 on Wed Jul  1 13:26:32 2009
*nat
:PREROUTING ACCEPT [1385:93589]
:POSTROUTING ACCEPT [319:26979]
:OUTPUT ACCEPT [5114:401834]
-A PREROUTING ! -i ppp0 -p udp -m udp --dport 5060 -j REDIRECT 
-A POSTROUTING -o ppp0 -j MASQUERADE 
COMMIT
# Completed on Wed Jul  1 13:26:32 2009
# Generated by iptables-save v1.4.3.2 on Wed Jul  1 13:26:32 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [32081:6020561]
:blocknlog - [0:0]
:checkblock - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT 
-A INPUT -i ppp0 -p tcp -m multiport --dports 22,25,53,80,443,993 -j ACCEPT 
-A INPUT -i ppp0 -p udp -m multiport --dports 53,123,5060 -j ACCEPT 
-A INPUT -s 212.88.128.10/32 -p udp -m udp --sport 53 -j ACCEPT 
-A INPUT -s 212.224.0.188/32 -i ppp0 -p ipv6 -j ACCEPT 
-A INPUT -s 192.88.99.1/32 -i ppp0 -p ipv6 -j ACCEPT 
-A INPUT -j checkblock 
-A INPUT -j ACCEPT 
-A FORWARD -j checkblock 
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -j ACCEPT 
-A blocknlog -m limit --limit 1/sec -j LOG --log-prefix "Bad Packet: " --log-level 5 
-A blocknlog -j REJECT --reject-with icmp-net-prohibited 
-A checkblock -m state --state RELATED,ESTABLISHED -j RETURN 
-A checkblock -m state --state INVALID -j LOG --log-prefix "Invalid match: " --log-level 5 
-A checkblock ! -i ppp0 -j RETURN 
-A checkblock -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j RETURN 
-A checkblock -p udp -m limit --limit 1/min -m ttl --ttl-lt 3 -j blocknlog 
COMMIT
# Completed on Wed Jul  1 13:26:32 2009

Maybe I am missing something obvious, but I'd appreciate a hint.
(yes, nf_conntrack_sip is loaded)

Bye,

Joerg

Attachment: signature.asc
Description: Digital signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux