[Spce-user] Possible Bug? - NGCP Firewall in mr6.5.3

Richard Fuchs rfuchs at sipwise.com
Tue Apr 2 09:23:55 EDT 2019 

On 02/04/2019 09.18, Hohl Matthias wrote:
>
> Hello,
>
> i configured the new NGCP Firewall in my config.yml file and apply it 
> with ngcpcfg apply and my iptables looks like this:
>
> /root at spce:~# iptables -L -n -v/
>
> /Chain INPUT (policy ACCEPT 3139 packets, 517K bytes)/
>
> /pkts bytes target     prot opt in     out     source destination/
>
> /3139  517K f2b-KAMAILIO  all  --  *      *       0.0.0.0/0 0.0.0.0/0/
>
> /3142  518K f2b-KAMAILIO  all  --  *      *       0.0.0.0/0 0.0.0.0/0/
>
> /3174  522K rtpengine  all  --  *      *       0.0.0.0/0 0.0.0.0/0/
>
> Now I apply the iptables filter with iptables-apply. Now it looks like 
> this:
>
> /root at spce:~# iptables -L -n -v/
>
> /Chain INPUT (policy DROP 1 packets, 40 bytes)/
>
> /pkts bytes target     prot opt in     out     source destination/
>
> /   45 10017 f2b-KAMAILIO  all  --  *      *       0.0.0.0/0    0.0.0.0/0/
>
> /   49 10197 f2b-KAMAILIO  all  --  *      *       0.0.0.0/0 0.0.0.0/0/
>
> /   58 31203 rtpengine  udp  --  *      *       0.0.0.0/0 0.0.0.0/0/
>
> /   53 26575 ACCEPT     all  --  lo     *       0.0.0.0/0 0.0.0.0/0/
>
> /   45  9670 ACCEPT     all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0            state RELATED,ESTABLISHED/
>
> /    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
>      0.0.0.0/0            icmptype 8/
>
> /    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0 
> 0.0.0.0/0            icmptype 0/
>
> /    3   841 cluster    all  --  *      *       0.0.0.0/0 0.0.0.0/0/
>
> /    1   761 ACCEPT     udp  --  eth0   *       0.0.0.0/0 
> 0.0.0.0/0            udp dpt:5060 /* sip_ext *//
>
> /    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0 
> 0.0.0.0/0            tcp dpt:5060 /* sip_ext *//
>
> /    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0 
>    0.0.0.0/0            tcp dpt:5061 /* sip_ext *//
>
> /    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0 
> 0.0.0.0/0            tcp dpt:5222 /* sip_ext *//
>
> /    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0 
> 0.0.0.0/0            tcp dpt:5269 /* sip_ext *//
>
> /    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0 
> 0.0.0.0/0            udp dpts:30000:44999 /* rtp_ext *//
>
> /    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0 
> 0.0.0.0/0            tcp dpt:443 /* web_ext *//
>
> /    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0 
> 0.0.0.0/0            tcp dpt:1443 /* web_int *//
>
> /    0     0 ACCEPT     tcp  --  eth0   *       92.42.136.52 
> 0.0.0.0/0            tcp dpt:22 /* ssh_ext *//
>
> /    2    80 LOG       all  --  *      *       0.0.0.0/0 
> 0.0.0.0/0            limit: avg 5/min burst 10 LOG flags 0 level 7 
> prefix "NGCPFW[DROP]: "/
>
> So far so good BUT if I reboot the machine now, the iptables policies 
> are removed and it looks like before I did the “iptables-apply” command.
>
> So I have to “iptables-apply” again, to have my iptables rules installed.
>
> The iptables settings are not reboot resistant.
>
> I read the handbook carefully several times, but can’t find a solution 
> for this behavior. Is this a bug?
>
This was just recently fixed. Are your packages all up to date? 
Templates should be at least 6.5.3.19 and rtpengine should be at least 
6.5.3.4.

Cheers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190402/8eb4ef40/attachment-0001.html>

More information about the Spce-user mailing list