[asterisk-users] 11.4.0: iax packets lost by amazon ec2

Sean Darcy seandarcy2 at gmail.com
Sat Sep 7 15:42:55 CDT 2013 

On 09/07/2013 01:26 PM, Tony Mountifield wrote:
> In article <l0fkfp$4ua$1 at ger.gmane.org>,
> Sean Darcy <seandarcy2 at gmail.com> wrote:
>> On 09/07/2013 10:33 AM, Tony Mountifield wrote:
>>> In article <522A934D.8010006 at gmail.com>,
>>> Sean Darcy <seandarcy2 at gmail.com> wrote:
>>>> On 09/06/2013 07:08 PM, Steve Edwards wrote:
>>>>> On Fri, 6 Sep 2013, Sean Darcy wrote:
>>>>>
>>>>>> I'm not sure asterisk is even listening for the packets:
>>>>>>
>>>>>> [root at asterisk ~]# netstat -apnt | grep 4569
>>>>>> [root at asterisk ~]#
>>>>>
>>>>> '-t' meand TCP. IAX is UDP.
>>>>>
>>>>
>>>> My bad:
>>>>
>>>> netstat -apnu | grep 4569
>>>> udp        0      0 0.0.0.0:4569            0.0.0.0:*
>>>>            3176/asterisk
>>>>
>>>> But why isn't asterisk seeing/acting upon the registration request?
>>>> Wireshark finds the packet to 4569, so it's not a firewall problem.
>>>
>>> Are you sure about that? I have found in the past that tcpdump sees inbound
>>> packets before they get to the iptables filter.
>>>
>>> What happens if you do:
>>> iptables -I INPUT 1 -p udp --dport 4569 -j ACCEPT
>>>
>>> Cheers
>>> Tony
>>>
>>
>> Wow! Look:
>>
>>    iptables -L
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>> ACCEPT     all  --  anywhere             anywhere             ctstate
>> RELATED,ESTABLISHED
>> ACCEPT     icmp --  anywhere             anywhere
>> ACCEPT     all  --  anywhere             anywhere
>> ACCEPT     tcp  --  anywhere             anywhere             ctstate
>> NEW tcp dpt:ssh
>> REJECT     all  --  anywhere             anywhere
>> reject-with icmp-host-prohibited
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>> REJECT     all  --  anywhere             anywhere
>> reject-with icmp-host-prohibited
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>>
>> Which means to me that the INPUT chain will ACCEPT all protocols from
>> anywhere to anywhere.
>
> I suspect there's something that is not being shown there. Try:
>
> # iptables -vnL
>
> (and if pasting it, to post here, try to avoid line-wrapping if possible).
>
>> But no, iptables -I INPUT 1 -p udp --dport 4569 -j ACCEPT solves the
>> problem and asterisk now registers my device.
>>
>> Now I have to find a way to make it persistent across reboots.
>
> If your system is RH or CentOS-like, you can do:
>
> # service iptables save
>
> That creates the file /etc/sysconfig/iptables, which is loaded on boot.
>
> Cheers
> Tony
>


iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source 
destination
  125K  171M ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0      ctstate RELATED,ESTABLISHED
     0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0
     0     0 ACCEPT     all  --  lo     *       0.0.0.0/0 
0.0.0.0/0
    13   768 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0      ctstate NEW tcp dpt:22
     1    40 REJECT     all  --  *      *       0.0.0.0/0         0.0.0.0/0

So this means the packet is accepted only if it comes from the loopback 
interface?

I've disabled iptables altogether, now relying on the amazon security group.

Thanks for your help.

sean

More information about the asterisk-users mailing list