Re: nf_conntrack_sip problem

Joerg Dorchain <joerg@xxxxxxxxxxxx> · Wed, 1 Jul 2009 18:10:29 +0200

On Wed, Jul 01, 2009 at 05:05:49PM +0200, Patrick McHardy wrote:
>>
>> I tried this. Actually, it makes things worse. Now Asterisk
>> complains: [Jul  1 16:17:46] WARNING[20516]: chan_sip.c:1787 
>> __sip_xmit:
>> sip_xmit of 0x86f8de0 (len 384) to 217.10.79.9:5060 returned -1:
>> Operation not permitted
>>
>> (Trying to register with sipgate.de; registration in parallel
>> with tel.lu seems to work)
>
> sipgate needs sip_direct_media=0 since the RTP streams originate from
> a seperate cluster.

I loaded the module with sip_direct_signalling=0 and
sip_direct_media=0 to get these messages.
>
> Did you load the NAT module before the conntrack module?

I did not load the nat modules at all. As said, I am only
interested in dynamically accepting the rtp streams.
>
>> nf_conntrack_sip without options on a trial incoming call however gives:
>>
>> # conntrack -E expect
>> 180 proto=17 src=85.93.219.114 dst=212.88.133.153 sport=0 dport=7070
>> 180 proto=17 src=85.93.219.114 dst=212.88.133.153 sport=0 dport=7071

Also for tel.lu the expected IP should be 85.93.219.122.

BTW, it seems that combining an SER for the handling the sip part
with an asterisk for the dial-in part seems to be common. Here it
means the RTP stream is coming typically from a different IP than
the register endpoint.
>
> Besides the direct_media option, I assume you're accepting EXPECTED
> and RELATED packets?

No, only RELATED. I repeat the line: -A checkblock -m state
--state RELATED,ESTABLISHED -j RETURN
Man page says: RELATED meaning that the  packet is starting a new
connection, but is associated with an existing connection, such as
an FTP data transfer, or an ICMP error.

As it works for ftp connection tracking, I'd assume it should
also work for sip connection tracking.

For reference, again the complete iptables:
# Generated by iptables-save v1.4.3.2 on Wed Jul  1 13:26:32 2009
*nat
:PREROUTING ACCEPT [1385:93589]
:POSTROUTING ACCEPT [319:26979]
:OUTPUT ACCEPT [5114:401834]
-A PREROUTING ! -i ppp0 -p udp -m udp --dport 5060 -j REDIRECT=20
-A POSTROUTING -o ppp0 -j MASQUERADE=20
COMMIT
# Completed on Wed Jul  1 13:26:32 2009
# Generated by iptables-save v1.4.3.2 on Wed Jul  1 13:26:32 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [32081:6020561]
:blocknlog - [0:0]
:checkblock - [0:0]
-A INPUT -i lo -j ACCEPT=20
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j AC=
CEPT=20
-A INPUT -i ppp0 -p tcp -m multiport --dports 22,25,53,80,443,993 -j ACCEPT=
=20
-A INPUT -i ppp0 -p udp -m multiport --dports 53,123,5060 -j ACCEPT=20
-A INPUT -s 212.88.128.10/32 -p udp -m udp --sport 53 -j ACCEPT=20
-A INPUT -s 212.224.0.188/32 -i ppp0 -p ipv6 -j ACCEPT=20
-A INPUT -s 192.88.99.1/32 -i ppp0 -p ipv6 -j ACCEPT=20
-A INPUT -j checkblock=20
-A INPUT -j ACCEPT=20
-A FORWARD -j checkblock=20
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-=
mss-to-pmtu=20
-A FORWARD -j ACCEPT=20
-A blocknlog -m limit --limit 1/sec -j LOG --log-prefix "Bad Packet: " --lo=
g-level 5=20
-A blocknlog -j REJECT --reject-with icmp-net-prohibited=20
-A checkblock -m state --state RELATED,ESTABLISHED -j RETURN=20
-A checkblock -m state --state INVALID -j LOG --log-prefix "Invalid match: =
" --log-level 5=20
-A checkblock ! -i ppp0 -j RETURN=20
-A checkblock -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j RETURN=20
-A checkblock -p udp -m limit --limit 1/min -m ttl --ttl-lt 3 -j blocknlog=
=20
COMMIT
# Completed on Wed Jul  1 13:26:32 2009

Bye,

Joerg
Attachment:
signature.asc

Description: Digital signature