[Spce-user] [EXTERNAL] Physical interface VS virtual interface on iptables rules

Javier Valencia javier.valencia at voiper.es
Wed Sep 18 18:53:12 EDT 2024 

Hi Darío.

It is one of several rules, I simply wanted to give an example.

As you can see, these are all the affected rules in iptables:

 6487 3175K ACCEPT     udp  --  neth0:0  *       0.0.0.0/0
0.0.0.0/0            udp dpt:5060 /* sip_ext */
  185  8576 ACCEPT     tcp  --  neth0:0  *       0.0.0.0/0
0.0.0.0/0            tcp dpt:5060 /* sip_ext */
  136  7028 ACCEPT     tcp  --  neth0:0  *       0.0.0.0/0
0.0.0.0/0            tcp dpt:5061 /* sip_ext */
   61  2996 ACCEPT     tcp  --  neth0:0  *       0.0.0.0/0
0.0.0.0/0            tcp dpt:5222 /* sip_ext */
   30  1420 ACCEPT     tcp  --  neth0:0  *       0.0.0.0/0
0.0.0.0/0            tcp dpt:5269 /* sip_ext */

When the interface specified by the iptables rules is *neth0:0* there is no
traffic of any kind, however, if it is *neth0* there is no problem. This is
because *sip_ext* is on neth0:0 (virtual), but iptables needs the physical
network interface.

The other iptables rules aren't affected.

Regards,
JV


El mié, 18 sept 2024 a las 9:57, Dario Busso (<dbusso at sipwise.com>)
escribió:

> The rule you shared is for TCP on the interface's port 5060. I don't know
> if you meant enabling it or the UDP protocol.
> It depends on which interface you have assigned the type "sip_ext" in the
> network.yml file; based on that, the scripts work accordingly to create the
> appropriate firewall rules.
> Dario
>
> On Wed, Sep 18, 2024 at 8:30 AM Javier Valencia <javier.valencia at voiper.es>
> wrote:
>
>> Hi there!
>>
>> My NGCP CE mr9.5.7 (on bullseye (11.10) 5.10.0-30-amd64 SMP) box isn't
>> responding on sip_ext, because it's generating "/etc/iptables/rules.v4"
>> with virtual ethernet interface instead physical ethernet interface.
>>
>> In example:
>> -A INPUT -i *neth0:0* -p tcp --dport 5060 -j ACCEPT -m comment --comment
>> "sip_ext"
>>
>> Must be:
>> -A INPUT -i *neth0* -p tcp --dport 5060 -j ACCEPT -m comment --comment
>> "sip_ext"
>>
>> When I delete the first line and insert into iptables (with cli commands)
>> the second line, the server starts to respond.
>>
>> There an *iface* alternative variable to make a custom template?
>> [%
>>    FOREACH iface IN hosts.$hostname.interfaces;
>>      FOREACH net IN hosts.$hostname.$iface.type;
>>        # handle certain aliases
>>        IF net != 'rtp_int' && net.match('^rtp_');
>>          net_alias = 'rtp_ext';
>>        ELSIF net.match('^sip_ext_');
>>          net_alias = 'sip_ext';
>>        ELSE;
>>          net_alias = net;
>>        END;
>>
>>        IF rules.$net_alias && rules.$net_alias.size && iface != 'lo' &&
>> hosts.$hostname.$iface.ip;
>>          FOREACH rule IN rules.$net_alias;
>> -%]
>> -A INPUT -i [% *iface* %] [% rule %] -m comment --comment "[% net %]"
>> [%
>>          END;
>>        END;
>>      END;
>>    END;
>> -%]
>>
>> thx
>>
>> P.S: I'm so sorry about my english
>>
>> --
>> Spce-user mailing list
>> Spce-user at lists.sipwise.com
>> http://lists.sipwise.com/mailman/listinfo/spce-user_lists.sipwise.com
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20240919/eefb68a5/attachment.htm>

More information about the Spce-user mailing list