All of lore.kernel.org
 help / color / mirror / Atom feed
* Info about SIP conntrack module...
@ 2021-08-31 13:39 Marco Gaiarin
  0 siblings, 0 replies; only message in thread
From: Marco Gaiarin @ 2021-08-31 13:39 UTC (permalink / raw)
  To: lartc


My VoIP provider recently split their server pool from one server to
a pools of servers.

My iptables rules (particulary: conntracking ones) stop working; my
rules was:

	root@vfwacpn1:~# iptables -vnL -t raw
	Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
	 pkts bytes target     prot opt in     out     source               destination         
	  118 81333 CT         udp  --  ens18  *       10.172.0.0/21        0.0.0.0/0            match-set sip.messagenet.it_a dst multiport dports 5060,5061 CT helper sip
	  [...]

where 'sip.messagenet.it_a' is a set (ipset) with the IP of sip.messagenet.it
inside.


In this way, a typical SIP session was:

 root@vfwacpn1:/etc/network# tshark -ni ens18 -f 'host 10.172.1.7'
 Running as user "root" and group "root". This could be dangerous.
 Capturing on 'ens18'
    1 0.000000000 212.97.59.76 → 10.172.1.7   UDP 46 5061 → 5061 Len=4
    2 5.175179711 92:68:28:81:1e:9e → 9a:67:e6:c4:1f:ee ARP 42 Who has 10.172.1.7? Tell 10.172.1.254
    3 5.175692973 9a:67:e6:c4:1f:ee → 92:68:28:81:1e:9e ARP 42 10.172.1.7 is at 9a:67:e6:c4:1f:ee
    4 11.790186903   10.172.1.7 → 212.97.59.76 SIP 604 Request: OPTIONS sip:sip.messagenet.it | 
    5 11.809489686 212.97.59.76 → 10.172.1.7   SIP 666 Status: 200 OK | 
    6 15.786333503 212.97.59.76 → 10.172.1.7   SIP/SDP 1326 Request: INVITE sip:202@10.172.1.7:5061 | 
    7 15.789126709   10.172.1.7 → 212.97.59.76 SIP 812 Status: 100 Trying | 
    8 15.944411484   10.172.1.7 → 212.97.59.76 SIP 828 Status: 180 Ringing | 
    9 16.910168496 9a:67:e6:c4:1f:ee → 92:68:28:81:1e:9e ARP 42 Who has 10.172.1.254? Tell 10.172.1.7
   10 16.910202553 92:68:28:81:1e:9e → 9a:67:e6:c4:1f:ee ARP 42 10.172.1.254 is at 92:68:28:81:1e:9e
   11 25.103626405 212.97.59.76 → 10.172.1.7   UDP 46 5061 → 5061 Len=4
   12 41.793771381   10.172.1.7 → 212.97.59.76 SIP 764 Request: REGISTER sip:sip.messagenet.it:5061  (1 binding) | 
   13 41.813853175 212.97.59.76 → 10.172.1.7   SIP 732 Status: 200 OK  (1 binding) | 
   14 45.926054588   10.172.1.7 → 212.97.59.76 SIP/SDP 1235 Status: 200 OK | 
   15 45.953153763 212.97.59.76 → 10.172.1.7   SIP 652 Request: ACK sip:202@10.172.1.7:5061 | 
   16 46.428107261   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq'010, Time\x160, Mark
   17 46.428260850 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   18 46.448437789   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq'011, Time20
   19 46.448571326 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   20 46.468450353   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq'012, TimeH0
   21 46.468561938 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   22 46.488464348   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq'013, Timed0
   23 46.488576021 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   24 46.508439908   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq'014, Time€0
   25 46.508545271 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)
   26 46.528491436   10.172.1.7 → 193.227.104.40 RTP 74 PT=ITU-T G.729, SSRC=0x221261E, Seq'015, Time–0
   27 46.528580081 10.172.1.254 → 10.172.1.7   ICMP 102 Destination unreachable (Communication administratively filtered)


Note the SIP traffic to 212.97.59.76 AKA sip.messagenet.it, and the RTP
traffic to 193.227.104.40.


I've looked at conntrack helper sip options:

	root@vfwacpn1:~# modinfo nf_conntrack_sip
	filename:       /lib/modules/4.19.0-17-amd64/kernel/net/netfilter/nf_conntrack_sip.ko
	alias:          nfct-helper-sip
	alias:          ip_conntrack_sip
	description:    SIP connection tracking helper
	author:         Christian Hentschel <chentschel@arnet.com.ar>
	[...]
	parm:           ports:port numbers of SIP servers (array of ushort)
	parm:           sip_timeout:timeout for the master SIP session (uint)
	parm:           sip_direct_signalling:expect incoming calls from registrar only (default 1) (int)
	parm:           sip_direct_media:Expect Media streams between signalling endpoints only (default 1) (int)

and seems that 'sip_direct_signalling' and 'sip_direct_media', if
relaxed (put to 0) could be a solution.


But i've found some documentation on SIP conntrack module, but found
nothing.


Someone here have some feedback? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2021-08-31 13:39 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-31 13:39 Info about SIP conntrack module Marco Gaiarin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.