Re: conntrack helpers in kernel 4.7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I can confirm that my telephone works again with the following rules:

# Generated by iptables-save v1.4.21 on Thu Aug 11 21:16:57 2016
*raw
:PREROUTING ACCEPT [47907:21288529]
:OUTPUT ACCEPT [475:103181]
[1308:89383] -A PREROUTING -p udp -m udp --dport 5060 -j CT --helper sip
[8:479] -A PREROUTING -p udp -m udp --dport 69 -j CT --helper tftp
COMMIT
[0:0] -A INPUT -p udp -m conntrack --ctstate RELATED -m udp --sport 5060 -m helper --helper sip -j ACCEPT
[0:0] -A INPUT -p udp -m conntrack --ctstate RELATED -m udp --dport 5060 -m helper --helper sip -j ACCEPT
[0:0] -A INPUT -p udp -m conntrack --ctstate RELATED -m udp --dport 1:65535 -m helper --helper sip -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate RELATED -m helper --helper sip -j ACCEPT
[0:0] -A INPUT -p udp -m conntrack --ctstate RELATED -m udp --dport 79 -m helper --helper tftp -j ACCEPT
[0:0] -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -m udp --sport 5060 -m helper --helper sip -j ACCEPT
[0:0] -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -m udp --dport 5060 -m helper --helper sip -j ACCEPT
[0:0] -A INPUT -p udp -m conntrack --ctstate ESTABLISHED -m udp --dport 1:65535 -m helper --helper sip -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate ESTABLISHED -m helper --helper sip -j ACCEPT
[507:46400] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[5:200] -A INPUT -m conntrack --ctstate INVALID -j DROP
[0:0] -A INPUT -m state --state INVALID -j DROP
[0:0] -A FORWARD -i int181 -o int181 -j ACCEPT
[0:0] -A FORWARD -i int191 -o int191 -j ACCEPT
[0:0] -A FORWARD -i int182 -o int182 -j ACCEPT
[0:0] -A FORWARD -i int192 -o int192 -j ACCEPT
[0:0] -A FORWARD -i int183 -o int183 -j ACCEPT
[0:0] -A FORWARD -i int184 -o int184 -j ACCEPT
[0:0] -A FORWARD -i int185 -o int185 -j ACCEPT
[0:0] -A FORWARD -i int186 -o int186 -j ACCEPT
[0:0] -A FORWARD -i int187 -o int187 -j ACCEPT
[0:0] -A FORWARD -i int188 -o int188 -j ACCEPT
[0:0] -A FORWARD -i int189 -o int189 -j ACCEPT
[0:0] -A FORWARD -i per281 -o per281 -j ACCEPT
[0:0] -A FORWARD -i unt381 -o unt381 -j ACCEPT
[0:0] -A FORWARD -i unt382 -o unt382 -j ACCEPT
[0:0] -A FORWARD -i unt383 -o unt383 -j ACCEPT
[0:0] -A FORWARD -i int186 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FORWARD -i int187 -j REJECT --reject-with icmp-port-unreachable
[5:2139] -A FORWARD -d 192.168.181.161/32 -i int+ -p udp -m udp --sport 68 --dport 67 -j ACCEPT
[0:0] -A FORWARD -d 192.168.251.12/32 -i int+ -p udp -m udp --sport 68 --dport 67 -j ACCEPT
[0:0] -A FORWARD -d 192.168.251.9/32 -i int+ -p udp -m udp --sport 68 --dport 67 -j ACCEPT
[0:0] -A FORWARD -d 192.168.251.53/32 -i int+ -p udp -m udp --sport 68 --dport 67 -j ACCEPT
[0:0] -A FORWARD -p udp -m conntrack --ctstate RELATED -m udp --sport 5060 -m helper --helper sip -j ACCEPT
[0:0] -A FORWARD -p udp -m conntrack --ctstate RELATED -m udp --dport 5060 -m helper --helper sip -j ACCEPT
[0:0] -A FORWARD -p udp -m conntrack --ctstate RELATED -m udp --dport 1:65535 -m helper --helper sip -j ACCEPT
[0:0] -A FORWARD -p udp -m conntrack --ctstate RELATED -m helper --helper sip -j ACCEPT
[0:0] -A FORWARD -p udp -m conntrack --ctstate ESTABLISHED -m udp --sport 5060 -m helper --helper sip -j ACCEPT
[0:0] -A FORWARD -p udp -m conntrack --ctstate ESTABLISHED -m udp --dport 5060 -m helper --helper sip -j ACCEPT
[0:0] -A FORWARD -p udp -m conntrack --ctstate ESTABLISHED -m udp --dport 1:65535 -m helper --helper sip -j ACCEPT
[0:0] -A FORWARD -p udp -m conntrack --ctstate ESTABLISHED -m helper --helper sip -j ACCEPT
[44343:21048968] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[30:1464] -A FORWARD -m conntrack --ctstate INVALID -j DROP
[0:0] -A FORWARD -m state --state INVALID -j DROP
[1120:42740] -A FORWARD -i int185 -j int185in
[995:34560] -A int185in -s 192.168.185.250/32 -o unt+ -j ACCEPT
[0:0] -A int185in -o int181 -j ACCEPT
[0:0] -A int185in -o int191 -j ACCEPT
[0:0] -A int185in -o int182 -j ACCEPT
[0:0] -A int185in -o per281 -j ACCEPT
[125:8180] -A int185in -o unt381 -j ACCEPT
[0:0] -A int185in -o unt382 -j ACCEPT
[0:0] -A int185in -o unt383 -j ACCEPT

However, I am wondering why the counter in my helper match rules stay
at zero. I would expect them to count packets and bytes. Is this the
expected behavior?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux