[GTALUG] firewalls and iptables

Darryl Moore darryl at moores.ca
Tue Jun 7 14:45:07 EDT 2016


So on a customers network I was having issues with what looked like port 
blocking based on the source address of my UDP packets. Weird eh?

Basically whenever a remote SIP client registered with my asterisk box 
it would work for a while, then eventually the responses from asterisk 
would get blocked. I put this down to a defective router somewhere in 
the communication path. My work around which seemed to work was to 
change the UDP port asterisk was using for SIP and use iptables to 
reroute from the original port to the new port. This way the response 
would come from the new port and not get blocked. And it worked to!!

This is what I did to move the ports

/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5060 -j 
REDIRECT --to-ports $port
sed -i "s/bindport.*/bindport=$port/" /etc/asterisk/sip.conf
/etc/init.d/asterisk restart

buuuuuuut....., the iptables flush doesn't work, and there is nothing 
that seems to make it work. after a while see this with tcpdump
14:37:20.064722 IP 192.168.10.97.5060 > 192.168.10.59.5067: SIP, length: 4
14:37:20.064772 IP 192.168.10.97.5060 > 192.168.10.59.5062: SIP, length: 4
14:37:20.064783 IP 192.168.10.97.5060 > 192.168.10.59.5064: SIP, length: 4
14:37:20.064800 IP 192.168.10.97.5060 > 192.168.10.59.5065: SIP, length: 4
14:37:20.064834 IP 192.168.10.97.5060 > 192.168.10.59.5066: SIP, length: 4
14:37:20.064990 IP 192.168.10.97.5060 > 192.168.10.59.5063: SIP, length: 4
14:37:20.065025 IP 192.168.10.97.5060 > 192.168.10.59.5060: SIP, length: 4

It looks like the packets get cloned multiple times (each time I move 
the port). What is worse is I cannot switch back to port 5060 because of 
it. I've done just about everything I can imagine to get iptables to 
behave properly. Putting aside my original issue with the external 
source port blocking, has anybody seen anything like this before? The 
only thing I can do to restore the kernel firewall is to reboot.




More information about the talk mailing list