Any way to avoid ip_conntrack_sip?

Author	All Replies
Stewart join:2005-07-13 kudos:18	Any way to avoid ip_conntrack_sip? I signed up for an OpenVZ VPS at ChicagoVPS. I chose them for their ready-to-go PIAF template, generally good reviews on this site and others, and low cost ($6/mo. for server with 1GB memory and plenty of disk and bandwidth). However, I'm having trouble with SIP packets being mangled by the kernel, presumably by the ip_contrack_sip module. Under some circumstances, an incoming INVITE or a response to an outgoing INVITE will have the media IP address clobbered to be the same as the remote SIP server address, resulting in no outbound audio. (The VPS is on a dedicated static public IP and there is no NAT involved.) In most cases, I've been able to work around the problem by setting nat=comedia for the trunk, but some calls still fail. ChicagoVPS won't disable the errant module. I don't really blame them; this is a shared server. For example, a customer using it to provide a US VPN, for use from a country that blocks VoIP, may actually need it. Is there some way, with iptables or other networking settings to keep this from butchering SIP traffic? I already have Asterisk listening on a non-standard port, but most of the providers I'm using require me to connect to port 5060 on their end. Or, is there a good alternate solution that would avoid this issue? Any experience with Xen (which would presumably allow removal of the module)? Thanks.
	to forum · permalink · 2012-06-15 15:09:05 ·
voip_wire join:2010-07-02 kudos:1	As far as I know, changing the ports will not disable the sip modules. They are meant to do state-full tracking, so netfilter inspects the content of the packets and is not fooled by port numbers. I would recommend a KVM based VPS. You have complete control over the kernel and its modules, net filter rules etc. I have asterisk running on one without any issues. You may want to look at lowendtalk.com forum for reviews. I have a KVM based VPS from hostigation (128M) which is sufficient for my needs. I suppose Xen based VMs would also suffice, but I don't have first hand experience with them. cheers, -m
	to forum · permalink · 2012-06-15 19:46:37 ·

voip_wire join:2010-07-02 kudos:1	reply to Stewart said by Stewart: ChicagoVPS won't disable the errant module. I don't really blame them; this is a shared server. For example, a customer using it to provide a US VPN, for use from a country that blocks VoIP, may actually need it. Actually, if you put asterisk on the VPS, even this use case would benefit from the removal of conntrack and nat modules. In fact, this is what I do, but from a security perspective. So, it is very likely that ChicagoVPS would better serve all their clients by removing the SIP specific net filter modules. -m
	to forum · permalink · 2012-06-15 19:50:15 ·
pacpac join:2011-12-18 kudos:1	reply to Stewart I have done some research on this and put together a configuration on OpenVZ VPS. I have an account with ChicagoVPS; 2GB RAM (plus burst 2GB), 50GB HD and 2TB bandwidth. I have installed the following (installation from source): 1) FreePBX 2.9.0.12 2) Asterisk 1.8.12.0 3) phpMyAdmin 3.5.1 4) Webmin 1.580 5) Fail2Ban 0.8.4 I have set the following port configuration: 1) Changed from default port 22 to xx (default 22 blocked) 2) Opened alternative udp ports for SIP (blocked 5060) 3) RTP ports set to 10,000-20,000 4) Blocked port 80 and opened alternative http port to xxxx 5) Webmin is running on port 9001 In FreePBX the following extra modules are installed: 1) Asternic CDR Reports 1.5 2) Wake Up Calls 1.3.0.0 This configuration should work just fine. If you want we could ask ChicagoVPS to take a copy of this image and make it available on your account. I believe that should be doable. My account is on node ‘Chicago VPS44’. My standard PIAF/FreePBX is running on XEN VPS with LFCVPS (»www.lfcvps.com), which is running perfectly fine. I have installed Asterisk 10.4.0 on this VPS (FreepBX 2.10.0.8). I have tried and there is no way I can get Asterisk 10.4.0 to run on the OpenVZ. Let me know.
	to forum · permalink · 2012-06-15 21:36:03 ·
Stewart join:2005-07-13 kudos:18	Many thanks for your reply. I'm very puzzled as to why your setup is working and mine not, as they are very similar. said by pacpac: 1) Changed from default port 22 to xx (default 22 blocked) 2) Opened alternative udp ports for SIP (blocked 5060) 3) RTP ports set to 10,000-20,000 4) Blocked port 80 and opened alternative http port to xxxx 5) Webmin is running on port 9001 1) Of course. 2) Please explain. I changed bindport to a non-standard value and opened only that (all other UDP ports blocked except established/related, identd and NTP). How do you have multiple UDP ports for SIP? Why do you want/need more than one? 3) This was standard on the image I started from. 4) I have all incoming TCP blocked except the non-standard SSH port. SSH tunneling is used to access all admin functions. 5) This was also standard (though it's now blocked from the outside). I know very little about Linux networking, but have seen credible posts stating that a tcpdump capture (which does show the trouble) occurs ahead of iptables and any user processing, so I'm assuming that (some) SIP packets are being butchered in the kernel before my server ever sees them. Is is possible the your node is not running ip_conntrack_sip, or is running a less buggy version? I believe that we are on different nodes, but am not sure how to even tell. The penultimate hop on a traceroute to my server is chi-vps48.chicagovps.net; does that mean Chicago VPS48? Are you using any providers that would be affected? For example, Callcentric and Anveo are not, because they proxy audio through the same IP used by the corresponding SIP dialog. Do you have any settings that might be covering up (most of) the trouble? In particular, is 'nat' set to anything but 'no' for your trunks? Finally, I don't know what causes the bug to bite. For example, on Voxbeam, calls to Bangkok landline are affected but calls to Bangkok mobile are not. Sure, these are going via different carriers, but the only difference that I see in the SIP is the media address. I greatly appreciate the offer to make your image available, but I suspect that if I merely imported my Asterisk config files, there would be some subtle differences that would cause problems. And, re-entering everything into FreePBX (plus redoing the custom config file edits) would be a lot of work and itself error prone. And, there is a chance that it won't fix the original trouble. So, I'd like to first get a better understanding of what is happening.
	to forum · permalink · 2012-06-16 05:19:05 ·
pacpac join:2011-12-18 kudos:1	reply to Stewart The configuration/image I have up on ChicagoVPS now is a fresh install, i.e. no trunks, inbound routes etc. configured. I did the installation yesterday and it is the same as what I have had before, which has been working perfectly fine. If you want, I can give you access to SSH and admin access to the FreePBX admin. Then you can test and compare with your configuration. Send me a private message and I will send you the credentials. I have opened 2 alternative ports for udp, for no particular reason. The lowest number port is Bind in FreePBX. Line 1 in PAP2T and the extension it is registered to is on the lowest port and Line 2 in PAP2T and the extension it is registered to is on the next port. Since the VPS is not behind a filtered hardware firewall (ChicagoVPS has confirmed this) I have always set NAT to no or never in SIP settings. I have followed the same installation procedure on both XEN and OpenVZ, except for on OpenVZ I have commented out TTY=9 in /usr/sbin/safe_asterisk and prevented update of udev by adding the following in /etc/rc.local: /bin/rm -rf /dev/null /bin/rm -rf /dev/random /bin/rm -rf /dev/tty* /bin/rm -rf /dev/pty* /bin/mknod -m 0666 /dev/null c 1 3 /bin/mknod -m 0644 /dev/random c 1 8 /sbin/MAKEDEV tty /sbin/MAKEDEV pty I have installed on a CentOS 6.2 64-bit platform, removed all 32-bits packages and prevented installation of additional 32-bit packages. This is done before updating and installing dependencies, Asterisk, FreePBX, etc. Alternatively, I can clean up the installation procedure I have for OpenVZ and send it to you. I have not made a .sh script so you will need to copy/paste each command (I am not a Linux expert...., so creating a proper .sh script is not somtehing I can easily do). Lastly, I would be more than happy to install it for you, it does not take me more than an hour or so. A couple of other comments. I have tried the PIAF image ChicagoVPS has available and it is not working properly when updating FreePBX from 2.8 to 2.9, it is using an outdated PIAF install procedure, is running on CentOS 5 and an older version of Asterisk (cannot remember which version). Also, when encountering errors like this it is very difficult to pinpoint and correct the problem on an existing installation, and doing a clean install is generally a far better option. At least for me, since I have no ambitions to become a Linux, Asterisk and/or FreepBX expert. Let me know.
	to forum · permalink · 2012-06-16 06:27:45 ·
Stewart join:2005-07-13 kudos:18	Thanks to pacpac, I tested on his server and observed the same issues. We discussed it and concluded that with his provider mix and the destinations he was calling, he did not hit the bug. I suppose that this is another argument for what Anveo and Callcentric do; with either, this trouble would not be possible, even in theory. However, if I want to continue with the cheaper providers, my choices are: get Chicago VPS to remove the offending module, move to a different type of virtualization, or find a better hosting company.
	to forum · permalink · 2012-06-16 11:59:51 ·

VOIP etc > Voice Over IP - VOIP > VOIP Tech Chat > Any way to avoid ip_conntrack_sip?