[OpenSIPS-Users] media-relay not relaying when iptables running

Jeff Pyle jpyle at fidelityvoice.com
Thu Oct 20 19:02:06 CEST 2011 

Hi Jim,

Huh.  That's scary yet interesting.  I dumped CentOS a in favor of Debian for my Opensips/Mediaproxy adventures a while back because in many ways, things "just work better".  I can't say I had these issues in CentOS, however.  Both CentOS and Mediaproxy were at significantly older versions.  Perhaps that's related.

On my Debian (lenny) relays, I restore the iptables rules from a file as a function of the interface (pre-up).  Seems to work fairly well.  Here's most of the iptables-save output from the relay.  This matches the iptables.rules file I restore with the exception of the snipped parts and the counters:

# Generated by iptables-save v1.4.2 on Thu Oct 20 12:56:50 2011
*raw
:PREROUTING ACCEPT [24582234842:4809548355202]
:OUTPUT ACCEPT [154571950:31256363599]
COMMIT
# Completed on Thu Oct 20 12:56:50 2011
# Generated by iptables-save v1.4.2 on Thu Oct 20 12:56:50 2011
*nat
:PREROUTING ACCEPT [12968687:1476480376]
:POSTROUTING ACCEPT [1936336:370965482]
:OUTPUT ACCEPT [1936336:370965482]
COMMIT
# Completed on Thu Oct 20 12:56:50 2011
# Generated by iptables-save v1.4.2 on Thu Oct 20 12:56:50 2011
*mangle
:PREROUTING ACCEPT [24582237485:4809548896216]
:INPUT ACCEPT [203005278:39797729208]
:FORWARD ACCEPT [24379232207:4769751167008]
:OUTPUT ACCEPT [154572287:31256447734]
:POSTROUTING ACCEPT [24531204592:4800422567952]
-A POSTROUTING -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 0x2e 
COMMIT
# Completed on Thu Oct 20 12:56:50 2011
# Generated by iptables-save v1.4.2 on Thu Oct 20 12:56:50 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [24379232256:4769751176468]
:OUTPUT ACCEPT [151972385:30671400944]
[snip]
-A INPUT -p udp -m udp --dport 16384:32768 -j ACCEPT 
[snip]
-A INPUT -j DROP
COMMIT
# Completed on Thu Oct 20 12:56:50 2011

As far I can tell that's rather straight forward.  As you might suspect I declare 16384:32768 in the relay's config.  I suspect there's nothing in there surprising to you.


- Jeff


On Oct 20, 2011, at 11:44 AM, JimDoesVoip wrote:

> Hi Jeff,
>  Thanks.  I looked at this earlier as well.  I swapped the REJECT line out
> for a blanked ACCEPT with forwards and it didn't seem to have an effect.  I
> keep wondering if there is something in raw that needs to be put in place
> based upon the messages from iptables as it exists.  I took another look
> based on your note and I think I found something meaningful.
> 
>  iptables (at least on centos) appears to load different tables
> independently when you use the --list option.  So I started a call with only
> the raw table loaded.  no audio.  I then stopped iptables and had audio.  I
> then loaded filter and nat tables and each time still had audio.  Then as
> the call was going I loaded the raw table, and the call still had audio.  I
> stopped the call and started a new one: no audio.  Unloaded the raw table;
> audio.  
> 
> # iptables -t raw --list   
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination         
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination         
> # /etc/init.d/iptables stop
> iptables: Flushing firewall rules:                         [  OK  ]
> iptables: Setting chains to policy ACCEPT: raw             [  OK  ]
> iptables: Unloading modules:                               [  OK  ]
> # 
> 
> 
> So it feels likely that the raw part of my iptables config is blocking
> things.  Perhaps, even though it says it is defaulting to ACCEPT, it is
> blocking packets from getting to conntrack rules setup by media-relay?
> 
> Thanks,
> 
> Jim
> 
> 
> 
> 
> Jeff Pyle wrote:
>> 
>> Jim,
>> 
>> One difference between my iptables setup and yours on my relay is I allow
>> the FORWARD to go, default policy ACCEPT.  Perhaps this is relevant.
>> 
>> 
>> - Jeff
>> 
>> 
>> 
> 
> 
> --
> View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/media-relay-not-relaying-when-iptables-running-tp6911797p6913422.html
> Sent from the OpenSIPS - Users mailing list archive at Nabble.com.
> 
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

More information about the Users mailing list