[OpenSIPS-Users] media-relay not relaying when iptables running
mmotani
mmotani at counterpath.com
Mon Jul 9 09:29:07 CEST 2012
Hi Folks,
I apologize in advance for resurrecting an old thread, but I have some new
insight on the problem that Jim faced a few months ago with trying to run
media-relay on CentOS 6. I have discovered that turning off SELinux allows
media-proxy to relay media correctly without having to turn off the iptables
service. I also do not get any of the syslog error messages that I normally
get with SELinux and iptables running. Clearly, SELinux is preventing a
system call to sockets because of insufficient authority for the media-relay
process.
The perplexing thing, however, is that this restriction does not show up in
the audit.log as most blocks by SELinux do. An analysis of audit.log using
"sealert -a" does not show any references to media-relay, media-dispatcher,
twisted or python.
If anybody has any insight on which rules in SELinux might be causing this
issue, or how to diagnose this problem without any feedback in the
audit.log, it would be much appreciated.
Muiz Motani
JimDoesVoip wrote
>
> Hi All,
> We're running opensips 1.6.4 and mediaproxy 2.5.2, both on a single
> server running centos 6. When iptables is turned off media-relay works
> properly, calls connect and have audio, we see media flow from a IP
> client, to the media-relay back to IP client. We can't see any entries
> using the conntrack -L command at this time (maybe because iptables is
> off?)
>
> When we turn iptables on, we see entries in conntrack -L for a bunch of
> items including the sip signaling to each of the clients, but we do not
> see any entries for media when in a call (should we?).
>
> Our iptables config adds a few accept lines to the filter chain to allow
> any traffic on a few private interfaces and to allow sip traffic on a high
> port on any interface. These keep opensips working while iptables is
> running.
>
> <pre>
> # iptables -t filter -L -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 203 23785 ACCEPT all -- any any anywhere
> anywhere state RELATED,ESTABLISHED
> 2 152 ACCEPT icmp -- any any anywhere
> anywhere
> 1 201 ACCEPT all -- lo any anywhere
> anywhere
> 7 3629 ACCEPT all -- bond0 any anywhere
> anywhere
> 0 0 ACCEPT all -- eth0 any anywhere
> anywhere
> 0 0 ACCEPT all -- eth1 any anywhere
> anywhere
> 0 0 ACCEPT tcp -- any any anywhere
> anywhere state NEW tcp dpt:ssh
> 0 0 ACCEPT tcp -- any any anywhere
> anywhere state NEW tcp dpt:15060
> 9 1177 ACCEPT udp -- any any anywhere
> anywhere state NEW udp dpt:15060
> 0 0 REJECT all -- any any anywhere
> anywhere reject-with icmp-host-prohibited
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 REJECT all -- any any anywhere
> anywhere reject-with icmp-host-prohibited
>
> Chain OUTPUT (policy ACCEPT 137 packets, 33701 bytes)
> pkts bytes target prot opt in out source
> destination
>
>
> # iptables -t raw -L -v
> Chain PREROUTING (policy ACCEPT 11495 packets, 2699K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 118 packets, 32010 bytes)
> pkts bytes target prot opt in out source
> destination
> #
> </pre>
>
> It seems like something isn't getting connected properly, but
> unfortunately I didn't find a similar problem.
>
> When iptables is running there are no errors from media-relay, but no
> audio is relayed. When iptables is off we see errors complaining about
> iptables not being loaded, but media is relayed / works in both
> directions.
>
> Thanks very much,
>
> Jim O
>
--
View this message in context: http://opensips-open-sip-server.1449251.n2.nabble.com/media-relay-not-relaying-when-iptables-running-tp6911797p7580753.html
Sent from the OpenSIPS - Users mailing list archive at Nabble.com.
More information about the Users
mailing list