Hello, I am having a problem with iptables rules that used to work with kernel 4.6, but does not anymore with 4.8 (I think I skipped 4.7) I have a machine running asterisk, and the idea was to use connecting tracking to dynamically allow incoming packets, esp, sip related rtp data. So I have some rule in the tables: Chain PREROUTING (policy ACCEPT 19781 packets, 3776K bytes) pkts bytes target prot opt in out source destination 86 48515 CT udp -- any any anywhere anywhere udp dpt:sip CT helper sip Chain OUTPUT (policy ACCEPT 10950 packets, 1223K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination ... 14969 3316K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED ... This input rule used to match incoming rtp packets when initiating a sip call from the local asterisk, but now it does not match anymore. Did something change with netfilters? Is this supposed to work at all? What other concept would work for this setup? Thanks for a hint, Joerg
Attachment:
signature.asc
Description: PGP signature
