[OpenSIPS-Users] media-relay not relaying when iptables running

mmotani mmotani at counterpath.com
Mon Jul 9 09:29:07 CEST 2012


Hi Folks,

I apologize in advance for resurrecting an old thread, but I have some new
insight on the problem that Jim faced a few months ago with trying to run
media-relay on CentOS 6. I have discovered that turning off SELinux allows
media-proxy to relay media correctly without having to turn off the iptables
service. I also do not get any of the syslog error messages that I normally
get with SELinux and iptables running. Clearly, SELinux is preventing a
system call to sockets because of insufficient authority for the media-relay
process.

The perplexing thing, however, is that this restriction does not show up in
the audit.log as most blocks by SELinux do. An analysis of audit.log using
"sealert -a" does not show any references to media-relay, media-dispatcher,
twisted or python. 

If anybody has any insight on which rules in SELinux might be causing this
issue, or how to diagnose this problem without any feedback in the
audit.log, it would be much appreciated.

Muiz Motani


JimDoesVoip wrote
> 
> Hi All,
>   We're running opensips 1.6.4 and mediaproxy 2.5.2, both on a single
> server running centos 6.  When iptables is turned off media-relay works
> properly, calls connect and have audio, we see media flow from a IP
> client, to the media-relay back to IP client.  We can't see any entries
> using the conntrack -L command at this time (maybe because iptables is
> off?)
> 
>   When we turn iptables on, we see entries in conntrack -L for a bunch of
> items including the sip signaling to each of the clients, but we do not
> see any entries for media when in a call (should we?).
> 
>   Our iptables config adds a few accept lines to the filter chain to allow
> any traffic on a few private interfaces and to allow sip traffic on a high
> port on any interface.  These keep opensips working while iptables is
> running.
> 
> <pre>
> # iptables -t filter -L -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
>   203 23785 ACCEPT     all  --  any    any     anywhere            
> anywhere            state RELATED,ESTABLISHED 
>     2   152 ACCEPT     icmp --  any    any     anywhere            
> anywhere            
>     1   201 ACCEPT     all  --  lo     any     anywhere            
> anywhere            
>     7  3629 ACCEPT     all  --  bond0  any     anywhere            
> anywhere            
>     0     0 ACCEPT     all  --  eth0   any     anywhere            
> anywhere            
>     0     0 ACCEPT     all  --  eth1   any     anywhere            
> anywhere            
>     0     0 ACCEPT     tcp  --  any    any     anywhere            
> anywhere            state NEW tcp dpt:ssh 
>     0     0 ACCEPT     tcp  --  any    any     anywhere            
> anywhere            state NEW tcp dpt:15060 
>     9  1177 ACCEPT     udp  --  any    any     anywhere            
> anywhere            state NEW udp dpt:15060 
>     0     0 REJECT     all  --  any    any     anywhere            
> anywhere            reject-with icmp-host-prohibited 
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
>     0     0 REJECT     all  --  any    any     anywhere            
> anywhere            reject-with icmp-host-prohibited 
> 
> Chain OUTPUT (policy ACCEPT 137 packets, 33701 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
> 
> 
> # iptables -t raw -L -v   
> Chain PREROUTING (policy ACCEPT 11495 packets, 2699K bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
> 
> Chain OUTPUT (policy ACCEPT 118 packets, 32010 bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
> # 
> </pre>
> 
> It seems like something isn't getting connected properly, but
> unfortunately I didn't find a similar problem.  
> 
> When iptables is running there are no errors from media-relay, but no
> audio is relayed.  When iptables is off we see errors complaining about
> iptables not being loaded, but media is relayed / works in both
> directions.
> 
> Thanks very much,
> 
> Jim O
> 


--
View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/media-relay-not-relaying-when-iptables-running-tp6911797p7580753.html
Sent from the OpenSIPS - Users mailing list archive at Nabble.com.



More information about the Users mailing list