On Sun, Oct 09, 2016 at 05:55:18AM +0200, Adel Belhouane wrote:
> Le 09/10/2016 à 02:19, Joerg Dorchain a écrit :
> > Hello,
> >
> > I am having a problem with iptables rules that used to work with
> > kernel 4.6, but does not anymore with 4.8 (I think I skipped 4.7)
> >
> [...]
> >
> > This input rule used to match incoming rtp packets when initiating
> > a sip call from the local asterisk, but now it does not match
> > anymore.
> >
> > Did something change with netfilters?
>
> There was this dmesg log for long: "nf_conntrack: automatic helper
> assignment is deprecated and it will be removed soon. Use the iptables
> CT target to attach helpers instead."
I am sorry to quote myself, but as I wrote, I have in the RAW
table
> Chain PREROUTING (policy ACCEPT 19781 packets, 3776K bytes)
> pkts bytes target prot opt in out source destination
> 86 48515 CT udp -- any any anywhere anywhere udp dpt:sip CT helper sip
I remember having seen this kernel message long ago and introduced
the rule above.
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> ...
> 14969 3316K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
> ...
I meanwhile added another rule for debugging:
0 0 LOG all -- any any anywhere anywhere helper match "sip" LOG level warning prefix "Lsiprelhp: "
That gets triggered from the telephone on the internal ethernet
connecting to asterisk, where no firewall openeing is necessary,
but not for the outgoing call leg via ppp0 from asterisk.
Sorry for being unclear, I can easily give the rules in
iptables-save output if that helps.
> I think that's the answer to the problem:
> https://www.spinics.net/lists/netfilter/msg56874.html
I searched through the recent archive of this list before, found
this thread, but the solution does not work for me.
I tried the
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
but it did not change.
Thanks for bearing with me,
Joerg
Attachment:
signature.asc
Description: PGP signature
