On 4/1/2014 3:38 PM, Tom Eastep wrote: > On 4/1/2014 2:25 PM, İlker Aktuna wrote: >> Yes. In fact, that's my real problem. When I try to connect to my SIP >> proxy (Asterisk) from internet, I come from ppp0 address. However, >> Asterisk decides to reply with ppp1 address sometimes. And then I can >> not register, because my sip client does not accept the reply from >> ppp1 address. > > This can be a problem with UDP sockets. With your current Shorewall > configuration, you are not even using packet marks to attempt to direct > locally-generated SIP packets out of a particular interface. > > With UDP sockets, the client has no control over the source IP address. > This normally isn't a problem, because for any given IP address, there > is usually only one interface that can be used to send packets and the > kernel picks the primary IP address of that interface. The problem > arises when there are multiple interfaces that can send to a given host. > Until the packet is routed, it has source IP address zero which won't > match the conntrack entry that was created when the initial UDP packet > in the flow was sent from the client. > > I don't have a solution to that problem, other than to move the Asterisk > server off of the gateway.
I would note, however, that properly-written UDP servers do not have
this problem. In the dump you sent, contrast the handling of UDP sockets
by Asterisk with that of Bind's named daemon.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
udp 0 0 0.0.0.0:10000 0.0.0.0:*
2120/perl
udp 0 0 95.65.143.173:53 0.0.0.0:*
10769/named
udp 0 0 95.65.143.7:53 0.0.0.0:*
10769/named
udp 0 0 192.168.254.254:53 0.0.0.0:*
10769/named
udp 0 0 192.168.1.2:53 0.0.0.0:*
10769/named
udp 0 0 192.168.250.2:53 0.0.0.0:*
10769/named
udp 0 0 127.0.0.1:53 0.0.0.0:*
10769/named
udp 0 0 127.0.0.1:42050 127.0.0.1:514
ESTABLISHED 2120/perl
udp 0 0 0.0.0.0:67 0.0.0.0:*
1184/dhcpd
udp 0 0 192.168.254.254:9053 0.0.0.0:*
21320/tor
udp 0 0 0.0.0.0:5000 0.0.0.0:*
15342/asterisk
udp 0 0 0.0.0.0:58511 0.0.0.0:*
29117/ntpdate
udp 0 0 0.0.0.0:161 0.0.0.0:*
2496/snmpd
udp 0 0 0.0.0.0:4520 0.0.0.0:*
15342/asterisk
udp 0 0 0.0.0.0:5060 0.0.0.0:*
15342/asterisk
udp 0 0 0.0.0.0:4569 0.0.0.0:*
15342/asterisk
udp6 0 0 :::53 :::*
10769/named
Notice that named binds a separate UDP socket to every primary IP
address. That way, when a request is sent to that address, the reply
will use the same socket and the source IP address will be correct. And
the Shorewall-generated ruleset will properly route the request back out
of the right interface.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
