<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 02/04/2019 09.18, Hohl Matthias
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1809914589.2726217.1554211091972.JavaMail.zimbra@mx.telematica.at">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:DE-AT"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">i configured the new
NGCP Firewall in my config.yml file and apply it with
ngcpcfg apply and my iptables looks like this:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US">root@spce:~# iptables
-L -n -v<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US">Chain INPUT (policy
ACCEPT 3139 packets, 517K bytes)<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> pkts bytes
target prot opt in out source
destination<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 3139 517K
f2b-KAMAILIO all -- * * 0.0.0.0/0
0.0.0.0/0<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 3142 518K
f2b-KAMAILIO all -- * * 0.0.0.0/0
0.0.0.0/0<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 3174 522K
rtpengine all -- * * 0.0.0.0/0
0.0.0.0/0<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Now I apply the iptables
filter with iptables-apply. Now it looks like this:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US">root@spce:~# iptables
-L -n -v<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US">Chain INPUT (policy
DROP 1 packets, 40 bytes)<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> pkts bytes
target prot opt in out source
destination<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 45 10017
f2b-KAMAILIO all -- * * 0.0.0.0/0
0.0.0.0/0<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 49 10197
f2b-KAMAILIO all -- * * 0.0.0.0/0
0.0.0.0/0<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 58 31203
rtpengine udp -- * * 0.0.0.0/0
0.0.0.0/0<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 53 26575
ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 45 9670
ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 0<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 3 841
cluster all -- * * 0.0.0.0/0
0.0.0.0/0<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 1 761
ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp dpt:5060 /* sip_ext */<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5060 /* sip_ext */<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5061 /* sip_ext */<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5222 /* sip_ext */<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:5269 /* sip_ext */<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT udp -- eth0 * 0.0.0.0/0
0.0.0.0/0 udp dpts:30000:44999 /* rtp_ext */<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443 /* web_ext */<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1443 /* web_int */<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 0 0
ACCEPT tcp -- eth0 * 92.42.136.52
0.0.0.0/0 tcp dpt:22 /* ssh_ext */<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:9.0pt" lang="EN-US"> 2 80 LOG
all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 5/min burst 10 LOG flags 0
level 7 prefix "NGCPFW[DROP]: "<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">So far so good BUT if I
reboot the machine now, the iptables policies are removed
and it looks like before I did the “iptables-apply” command.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">So I have to
“iptables-apply” again, to have my iptables rules installed.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The iptables settings
are not reboot resistant.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I read the handbook
carefully several times, but can’t find a solution for this
behavior. Is this a bug?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
<p>This was just recently fixed. Are your packages all up to date?
Templates should be at least 6.5.3.19 and rtpengine should be at
least 6.5.3.4.</p>
<p>Cheers<br>
</p>
</body>
</html>