projects
asked on
centos kvm host, routing sip/udp to vm - iptables
I have a sipxecs vm being hosted by a centos7 which is running iptables.
We can make calls out from the vm and have audio but incoming calls contain no audio. Since the ring does come in, I assume that the sip part is working but udp is not. Here is how my iptables look on the host.
My question is what is wrong with this setup that the vm would not be receiving any audio/udp and please provider a solution.
We can make calls out from the vm and have audio but incoming calls contain no audio. Since the ring does come in, I assume that the sip part is working but udp is not. Here is how my iptables look on the host.
### SipXecs
-A PREROUTING --dst 1.2.3.4 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.122.100:443
-A PREROUTING --dst 1.2.3.4 -p tcp -m tcp --dport 5060 -j DNAT --to-destination 192.168.122.100:5060
-A PREROUTING --dst 1.2.3.4 -p udp -m udp --dport 5060 -j DNAT --to-destination 192.168.122.100:5060
-A PREROUTING --dst 1.2.3.4 -p udp -m udp --dport 5080 -j DNAT --to-destination 192.168.122.100:5080
-A PREROUTING --dst 1.2.3.4 -p udp -m udp -m multiport --dports 30000:31000 -j DNAT --to-destination 192.168.122.100
My question is what is wrong with this setup that the vm would not be receiving any audio/udp and please provider a solution.
You not only have the iptables of the hosting server but the firewall of the vm. Did you update in both places?
ASKER
Yes, I should have mentioned that sipxecs automatically sets up the firewall on the server/vm.
Have you ran wireshark yet?
ASKER
No, it's a remote network and host so I don't have my usual tools.
I've never run wireshark on centos but am guessing I would need to run it on the host or something else.
I've never run wireshark on centos but am guessing I would need to run it on the host or something else.
I would run it both on the host and the VM. I run wireshark remotely on linux hosts all the time.
ASKER
Yes, I'm running it now.
In terms of the main question however, do you think the iptables looks correct as well?
In terms of the main question however, do you think the iptables looks correct as well?
I don't do masquerading with iptables and so can't answer that. The rules look logical to me but I can't speak for the multiport line. It's inconsistent with the others in that the destination ports are not listed. Shouldn't it be something like 192.168.122.100:30000-3100 0?
ASKER
>It's inconsistent with the others in that the destination ports are not listed.
>Shouldn't it be something like 192.168.122.100:30000-3100 0?
I don't know and that's why I'm posting. I cannot seem to confirm this anywhere so thought I would ask here.
I made the change and iptables restarted and tested a call. Audio still works one way so the problem remains.
The iptables config is the first thing I'd like to eliminate as a problem.
>Shouldn't it be something like 192.168.122.100:30000-3100
I don't know and that's why I'm posting. I cannot seem to confirm this anywhere so thought I would ask here.
I made the change and iptables restarted and tested a call. Audio still works one way so the problem remains.
The iptables config is the first thing I'd like to eliminate as a problem.
When you ran wireshark did the traffic even hit the server?
ASKER
Well, I can see what does hit it but I can't see what is being blocked so how would I know?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We do that as well, turn off the firewall, check for differences, turn it back on.
I've no idea where to go with this question since no one seems to know if the iptables rule for multiports if correct or not.
I'm awarding the solution as checking with and without firewall because it could be helpful to others.
I've no idea where to go with this question since no one seems to know if the iptables rule for multiports if correct or not.
I'm awarding the solution as checking with and without firewall because it could be helpful to others.
Did you add the range as suggested up above?
And, does it work if iptables is stopped?
And, does it work if iptables is stopped?
ASKER
Made no difference and we didn't see anything being blocked using tshark. However, I'm used to using win based wireshark so maybe not using the correct command.
If had wireshark running, even in non-verbose mode and if the packets were denied/rejected, you would see them hit the server.