<div dir="ltr"><div>That's by design: as you can see, you have correctly set up the type "sip_ext" to net0:0 (virtual interface), and the NGCP framework uses that one in the FW rules to protect the external access, allowing only the ports connected to the services.</div><div>We will check and see if there is a bug in the created FW rules and provide a fix.</div><div>Thank you for your report.</div><div>Dario<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 19, 2024 at 12:53 AM Javier Valencia <<a href="mailto:javier.valencia@voiper.es">javier.valencia@voiper.es</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">Hi Darío.</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">It is one of several rules, I simply wanted to give an example.<br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">As you can see, these are all the affected rules in iptables:<br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="color:rgb(102,102,102)"><font face="monospace"> 6487 3175K ACCEPT udp -- neth0:0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:5060 /* sip_ext */<br> 185 8576 ACCEPT tcp -- neth0:0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:5060 /* sip_ext */<br> 136 7028 ACCEPT tcp -- neth0:0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:5061 /* sip_ext */<br> 61 2996 ACCEPT tcp -- neth0:0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:5222 /* sip_ext */<br> 30 1420 ACCEPT tcp -- neth0:0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:5269 /* sip_ext */<br></font></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">When the interface specified by the iptables rules is <b>neth0:0</b> there is no traffic of any kind, however, if it is <b>neth0</b> there is no problem. This is because <b>sip_ext</b> is on neth0:0 (virtual), but iptables needs the physical network interface.</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">The other iptables rules aren't affected.</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">Regards,</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">JV</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">El mié, 18 sept 2024 a las 9:57, Dario Busso (<<a href="mailto:dbusso@sipwise.com" target="_blank">dbusso@sipwise.com</a>>) escribió:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>The rule you shared is for TCP on the interface's port 5060. I don't know if you meant enabling it or the UDP protocol.</div><div>It depends on which interface you have assigned the type "sip_ext" in the network.yml file; based on that, the scripts work accordingly to create the appropriate firewall rules.</div><div>Dario<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 18, 2024 at 8:30 AM Javier Valencia <<a href="mailto:javier.valencia@voiper.es" target="_blank">javier.valencia@voiper.es</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">Hi there!</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">My NGCP CE mr9.5.7 (on bullseye (11.10) 5.10.0-30-amd64 SMP) box isn't responding on <font face="monospace">sip_ext</font>, because it's generating "<font face="monospace">/etc/iptables/rules.v4</font>" with virtual ethernet interface instead physical ethernet interface.</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">In example:</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><font face="monospace">-A INPUT -i <b>neth0:0</b> -p tcp --dport 5060 -j ACCEPT -m comment --comment "sip_ext"<br></font></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">Must be:</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><font face="monospace">-A INPUT -i <b>neth0</b> -p tcp --dport 5060 -j ACCEPT -m comment --comment "sip_ext"<br></font></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">When I delete the first line and insert into iptables (with cli commands) the second line, the server starts to respond.</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">There an <b>iface</b> alternative variable to make a custom template?</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><font face="monospace">[%<br> FOREACH iface IN hosts.$hostname.interfaces;<br> FOREACH net IN hosts.$hostname.$iface.type;<br> # handle certain aliases<br> IF net != 'rtp_int' && net.match('^rtp_');<br> net_alias = 'rtp_ext';<br> ELSIF net.match('^sip_ext_');<br> net_alias = 'sip_ext';<br> ELSE;<br> net_alias = net;<br> END;<br><br> IF rules.$net_alias && rules.$net_alias.size && iface != 'lo' && hosts.$hostname.$iface.ip;<br> FOREACH rule IN rules.$net_alias;<br>-%]<br>-A INPUT -i [% <b>iface</b> %] [% rule %] -m comment --comment "[% net %]"<br>[%<br> END;<br> END;<br> END;<br> END;<br>-%]<br></font></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">thx</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)">P.S: I'm so sorry about my english</div><div class="gmail_default" style="font-size:large;color:rgb(102,102,102)"><br></div><div><div dir="ltr" class="gmail_signature"></div></div></div>
-- <br>
Spce-user mailing list<br>
<a href="mailto:Spce-user@lists.sipwise.com" target="_blank">Spce-user@lists.sipwise.com</a><br>
<a href="http://lists.sipwise.com/mailman/listinfo/spce-user_lists.sipwise.com" rel="noreferrer" target="_blank">http://lists.sipwise.com/mailman/listinfo/spce-user_lists.sipwise.com</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>