[asterisk-users] netfilter conntrack mangling canreinvite?

[John A. Sullivan III]

Hello, all.  Since implementing an iptables firewall between the
Asterisk PBX and several SIP phones, the Asterisk PBX ability to
"reinvite" has been broken even when the phones are on the same network
(i.e., no firewall between the phones).  We've been beating our heads
against the wall thinking it was the complex rule set but it appears the
issue is ip_conntrack_sip.

Before I drop another day into verifying this, may I ask if anyone else
has had a similar problem and found a solution? It appears conntrack is
rewriting the SDP so that the address is reverted to the PBX address.

Here are the relevant SDP portion of a reinvite captured on the PBX
using tcpdump and displayed in Wireshark.  The PBX is at 172.x.x.8 and
the phone is at 10.x.x.193:

Owner/Creator, Session Id (o): root 1417450700 1417450701 IN IP4
10.x.x.183
Owner Address: 10.x.x.183
Connection Information (c): IN IP4 10.x.x.183
Connection Address: 10.x.x.183

Here is a similar sequence but captured from the phone itself:
Owner/Creator, Session Id (o): root 595629021 595629022 IN IP4 172.x.x.8
Owner Address: 172.x.x.8
Connection Information (c): IN IP4 172.x.x.8
Connection Address: 172.x.x.8

It would appear conntrack is incorrectly "fixed" the packet.

I noticed newer kernels have sip_direct_media and sip_direct_signalling
options.  I don't know if those apply but they do not seem to be present
in our CentOS 5.3 kernel.

I'll probably spend most of tomorrow confirming this hypothesis and
investigating solutions so I'd be deeply appreciative for any
time-saving advice.  Thanks - John

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society