iptables causing voice issues

General support questions
Post Reply
mzahid1982
Posts: 3
Joined: 2018/04/17 09:11:35

iptables causing voice issues

Post by mzahid1982 » 2018/04/17 10:25:50

We have implemented iptables(CentOS release 6.7) running with asterisk 1.8 without any issues but now we have a new call routing scenario where iptables are causing issues. We are receiving calls from SIP Carrier A(1.1.1.1) and these calls needs to be forwarded to Carrier B(2.2.2.2) with current ipatble setting voice(RTP) is not passing however SIP signaling is working fine. I have already allowed SIP signaling (TCP Port 5060) & RTP ports (UDP 10000 to 50000) but somehow the RTP packets are not flowing but when i stop iptables i can see RTP traffic between carrier IPs ,please advise.

Server IP Address is 172.28.100.1 and we need to allow following traffic that currently iptables is blocking.
RTP packet from 1.1.1.1:25420
RTP packet to 2.2.2.2:22800

iptables configurations.

:FORWARD DROP [0:0]
:OUTPUT ACCEPT [70808:12412543]
:ADMIN-LEVEL - [0:0]
:TRUNK-LEVEL - [0:0]
:USER-LEVEL - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j USER-LEVEL
-A INPUT -p udp -m udp --dport 5060 -j USER-LEVEL
-A INPUT -p udp -m udp --dport 10000:60000 -j USER-LEVEL
-A INPUT -p tcp -m tcp --dport 22 -j ADMIN-LEVEL
-A INPUT -p tcp -m tcp --dport 3306 -j ADMIN-LEVEL
-A INPUT -p tcp -m tcp --dport 80 -j ADMIN-LEVEL
-A INPUT -p tcp -m tcp --dport 443 -j ADMIN-LEVEL
-A INPUT -p tcp -m tcp --dport 5060 -j TRUNK-LEVEL
-A INPUT -p udp -m udp --dport 5060 -j TRUNK-LEVEL
-A INPUT -p udp -m udp --dport 10000:60000 -j TRUNK-LEVEL
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
-A ADMIN-LEVEL -s 10.100.214.248/32 -j ACCEPT
-A ADMIN-LEVEL -j DROP
-A TRUNK-LEVEL -s 1.1.1.1/32 -j ACCEPT
-A TRUNK-LEVEL -s 2.2.2.2/32 -j ACCEPT
-A TRUNK-LEVEL -j USER-LEVEL
-A USER-LEVEL -s 10.100.212.0/23 -j ACCEPT
-A USER-LEVEL -j ADMIN-LEVEL
COMMIT

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables causing voice issues

Post by TrevorH » 2018/04/17 11:06:17

Your rules look odd.
-A INPUT -p udp -m udp --dport 5060 -j USER-LEVEL
This one jumps to the USER-LEVEL chain if the packet is on UDP 5060. USER-LEVEL then allows it if it's from a particular subnet and jumps to ADMIN-LEVEL which allows it if it's from one particular ip address and if it is not then it DROPs the packet. Processing for all packets on udp 5060 will then stop. Packets on tcp port 5060 follow a similar path but are also allowed if they are from 1.1.1.1 or 2.2.2.2.

SIP signaling is almost always done on UDP port 5060 not its TCP equivalent.

You have a duplicate rule for udp ports 10k-60k, the first one jumps to USER-LEVEL and the second jumps to TRUNK-LEVEL. Only the first one will be used. Same thing applies to the udp port 5060 packets. This is probably the source of your current problem - the rule that matches is the first one that jumps to USER-LEVEL and thus bypasses the rules that allow 1.1.1.1 and 2.2.2.2. The subsequent rule is never reached as it either allows the packet or drops it.

Please note that CentOS 6.7 is way out of date and is nearly 2.5 years behind current. The current version is 6.9 and should be the one in use.

A similar concern applies to asterisk 1.8 which has been EOL for about 2 years now.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mzahid1982
Posts: 3
Joined: 2018/04/17 09:11:35

Re: iptables causing voice issues

Post by mzahid1982 » 2018/04/17 12:57:18

Thank you for your detail response.
I am not very good with iptables so please help me to understand how i can allow a particular port or set of ports to multiple chains?
For example i need to allow UDP 5060 for Trunk, Admin & User groups?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables causing voice issues

Post by TrevorH » 2018/04/17 13:45:04

See you have rules like this (I'm extracting just one port to demonstrate but you'll need to do all the duplicates you have).

-A INPUT -p udp -m udp --dport 5060 -j USER-LEVEL
-A INPUT -p udp -m udp --dport 5060 -j TRUNK-LEVEL

Same rule, two different targets. The packet will match on the first rule that goes to USER-LEVEL and if it's from e.g. 1.1.1.1 then it will not match any of the rules in USER-LEVEL or in ADMIN-LEVEL that check the source ip address so it will take the final rule in ADMIN-LEVEL and drop the packet. Once you DROP or ACCEPT a packet, that's it, no more processing is done on it. That means your 2nd rule that jumps to TRUNK-LEVEL will never be reached so it never makes the checks for 1.1.1.1 or 2.2.2.2.

I suspect that you just want to delete the duplicate rules that you have that jump to USER-LEVEL and to TRUNK-LEVEL so that only the one to TRUNK-LEVEL remains.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

mzahid1982
Posts: 3
Joined: 2018/04/17 09:11:35

Re: iptables causing voice issues

Post by mzahid1982 » 2018/04/17 16:36:25

Thanks again.
For example if i want to allow UDP 5060 to User+Admin+Trunk & TCP 80 to User+Admin and TCP 22 only for Admin then this is how my iptables will look like?

-A INPUT -p tcp -m tcp --dport 80 -j USER-LEVEL
-A INPUT -p tcp -m tcp --dport 22 -j ADMIN-LEVEL
-A INPUT -p tcp -m tcp --dport 5060 -j TRUNK-LEVEL
-A ADMIN-LEVEL -s 10.100.214.248/32 -j ACCEPT
-A ADMIN-LEVEL -j DROP
-A TRUNK-LEVEL -s 1.1.1.1/32 -j ACCEPT
-A TRUNK-LEVEL -s 2.2.2.2/32 -j ACCEPT
-A TRUNK-LEVEL -j USER-LEVEL
-A USER-LEVEL -s 10.100.212.0/23 -j ACCEPT
-A USER-LEVEL -j ADMIN-LEVEL

Post Reply