[asterisk-users] problems with natted phones
Marek Greško
mgresko8 at gmail.com
Wed Sep 8 15:43:46 CDT 2021
Hello,
I did converted from iptables by automatical script and then rewritten
myself, because not everything was rewritten successfully.
Relevant parts:
table ip filter {
ct helper sip {
type "sip" protocol udp
l3proto ip
}
chain PREROUTING {
type filter hook prerouting priority filter; policy accept;
udp port 5060 ct helper set "sip"
}
chain INPUT {
...
ct state invalid drop
ct state related accept
ct state established accept
...
iifname "ppp0" jump i-inet
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
udp port 5060 ct helper set "sip"
...
}
chain i-inet {
...
udp port 5060 jump r-sip
...
}
chain r-sip {
ip saddr 192.0.2.0/24 accept
}
}
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
...
udp sport 5060 ip dscp set 0x04
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
...
udp dport 5060 ip dscp set 0x04
...
}
}
table ip6 filter {
ct helper sip {
type "sip" protocol udp
l3proto ip6
}
... pretty the same, but I have no ipv6 internet connectivity, so
this should not match ...
}
Is there something incorrect?
Thanks
Marek
2021-09-08 21:17 GMT+02:00, Duncan Turnbull <duncan at e-simple.co.nz>:
>
>
>> On 9/09/2021, at 6:23 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>>
>> Hello,
>>
>> I confirm temporarily allowing all the udp communication from the nat
>> ip address solved the problem, so the problem lies in the nftables.
>> This is probably not the right forum to continue. Or is it? Does
>> anybody have wide experience with nftables and sip?
> If you publish your rule set then we could look. Did you write the rules?
> What have you checked so far?
>
>>
>> Thanks
>>
>> Marek
>>
>>
>> 2021-09-07 10:40 GMT+02:00, Antony Stone
>> <Antony.Stone at asterisk.open.source.it>:
>>> On Monday 06 September 2021 at 23:05:27, Duncan Turnbull wrote:
>>>
>>>>>> On 7/09/2021, at 8:30 AM, Marek Greško <mgresko8 at gmail.com> wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> it is only local nftables with nf_conntrack_sip on the asterisk
>>>>>> server. Probably a kernel bug? It did not trigger with previous
>>>>>> providers since they had working SIP ALG. Now I hear no audio in both
>>>>>> directions because outgoing rtp stream from asterisk goes to private
>>>>>> address space and incoming stream is blocked. So the outgoing rtp
>>>>>> could not be learnt to send to nat addess.
>>>>
>>>> Maybe a bug but that’s less likely than a config error. Time to debug
>>>> your
>>>> nftables.
>>>
>>> Try temporarily simply turning the firewall off - allow all traffic
>>> through
>>> (although leave in place any NAT rules).
>>>
>>> If you then find that RTP works, you know where the problem lies.
>>>
>>>
>>> Antony.
>>>
>>> --
>>> Perfection in design is achieved not when there is nothing left to add,
>>> but
>>> rather when there is nothing left to take away.
>>>
>>> - Antoine de Saint-Exupery
>>>
>>> Please reply to the
>>> list;
>>> please *don't* CC
>>> me.
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>>
>>> New to Asterisk? Start here:
>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> Check out the new Asterisk community forum at:
>> https://community.asterisk.org/
>>
>> New to Asterisk? Start here:
>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-users
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list