[Spce-user] [EXTERNAL] Physical interface VS virtual interface on iptables rules

Dario Busso dbusso at sipwise.com
Thu Sep 19 02:14:50 EDT 2024 

That's by design: as you can see, you have correctly set up the type
"sip_ext" to net0:0 (virtual interface), and the NGCP framework uses that
one in the FW rules to protect the external access, allowing only the ports
connected to the services.
We will check and see if there is a bug in the created FW rules and provide
a fix.
Thank you for your report.
Dario

On Thu, Sep 19, 2024 at 12:53 AM Javier Valencia <javier.valencia at voiper.es>
wrote:

> Hi Darío.
>
> It is one of several rules, I simply wanted to give an example.
>
> As you can see, these are all the affected rules in iptables:
>
>  6487 3175K ACCEPT     udp  --  neth0:0  *       0.0.0.0/0
> 0.0.0.0/0            udp dpt:5060 /* sip_ext */
>   185  8576 ACCEPT     tcp  --  neth0:0  *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:5060 /* sip_ext */
>   136  7028 ACCEPT     tcp  --  neth0:0  *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:5061 /* sip_ext */
>    61  2996 ACCEPT     tcp  --  neth0:0  *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:5222 /* sip_ext */
>    30  1420 ACCEPT     tcp  --  neth0:0  *       0.0.0.0/0
> 0.0.0.0/0            tcp dpt:5269 /* sip_ext */
>
> When the interface specified by the iptables rules is *neth0:0* there is
> no traffic of any kind, however, if it is *neth0* there is no
> problem. This is because *sip_ext* is on neth0:0 (virtual), but iptables
> needs the physical network interface.
>
> The other iptables rules aren't affected.
>
> Regards,
> JV
>
>
> El mié, 18 sept 2024 a las 9:57, Dario Busso (<dbusso at sipwise.com>)
> escribió:
>
>> The rule you shared is for TCP on the interface's port 5060. I don't know
>> if you meant enabling it or the UDP protocol.
>> It depends on which interface you have assigned the type "sip_ext" in the
>> network.yml file; based on that, the scripts work accordingly to create the
>> appropriate firewall rules.
>> Dario
>>
>> On Wed, Sep 18, 2024 at 8:30 AM Javier Valencia <
>> javier.valencia at voiper.es> wrote:
>>
>>> Hi there!
>>>
>>> My NGCP CE mr9.5.7 (on bullseye (11.10) 5.10.0-30-amd64 SMP) box isn't
>>> responding on sip_ext, because it's generating "/etc/iptables/rules.v4"
>>> with virtual ethernet interface instead physical ethernet interface.
>>>
>>> In example:
>>> -A INPUT -i *neth0:0* -p tcp --dport 5060 -j ACCEPT -m comment
>>> --comment "sip_ext"
>>>
>>> Must be:
>>> -A INPUT -i *neth0* -p tcp --dport 5060 -j ACCEPT -m comment --comment
>>> "sip_ext"
>>>
>>> When I delete the first line and insert into iptables (with cli
>>> commands) the second line, the server starts to respond.
>>>
>>> There an *iface* alternative variable to make a custom template?
>>> [%
>>>    FOREACH iface IN hosts.$hostname.interfaces;
>>>      FOREACH net IN hosts.$hostname.$iface.type;
>>>        # handle certain aliases
>>>        IF net != 'rtp_int' && net.match('^rtp_');
>>>          net_alias = 'rtp_ext';
>>>        ELSIF net.match('^sip_ext_');
>>>          net_alias = 'sip_ext';
>>>        ELSE;
>>>          net_alias = net;
>>>        END;
>>>
>>>        IF rules.$net_alias && rules.$net_alias.size && iface != 'lo' &&
>>> hosts.$hostname.$iface.ip;
>>>          FOREACH rule IN rules.$net_alias;
>>> -%]
>>> -A INPUT -i [% *iface* %] [% rule %] -m comment --comment "[% net %]"
>>> [%
>>>          END;
>>>        END;
>>>      END;
>>>    END;
>>> -%]
>>>
>>> thx
>>>
>>> P.S: I'm so sorry about my english
>>>
>>> --
>>> Spce-user mailing list
>>> Spce-user at lists.sipwise.com
>>> http://lists.sipwise.com/mailman/listinfo/spce-user_lists.sipwise.com
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20240919/b9ca53c4/attachment-0001.htm>

More information about the Spce-user mailing list