[OpenSER-Users] Firewall causes ERROR:tm:msg_send: udp_send failed

CSB kjcsb at xnet.co.nz
Thu Jul 24 10:22:37 CEST 2008 

I have an error which is driving me crazy:
Jul 24 16:58:34 beta /sbin/openser[5446]: ERROR:core:udp_send:
sendto(sock,0x81aaed8,825,0,0xb61216f0,16): Operation not permitted(1)
Jul 24 16:58:34 beta /sbin/openser[5446]: ERROR:tm:msg_send: udp_send failed

This is firewall related because when I turn iptables off the problem goes
away. But although all ACCEPT and DENY messages are logged by the firewall,
there is no corresponding message logged. 

When a call is made between two UACs and the far end attempts to answer the
call, the call is not answered successfully. The dialogue is shown below.

If I turn the firewall off, start a call and then turn the firewall on the
call continues successfully. However the next call is not successful. We use
Mediaproxy and I suspect that is trying to do some communication that is
being blocked by the firewall but that is only a suspicion. The dialogue for
this call is shown at the bottom.

When comparing these two dialogues with the firewall turned on:
- when the callee answers, OpenSER receives a 200 OK but doesn't immediately
pass that on to the caller 
- after a number of 200 messages from the callee, OpenSER sends the 200 to
the caller but the Contact is the private IP address whereas when the
firewall is turned off it is the public IP address

I have also included the iptables config. Note that some lines are commented
out due to the testing I'm doing and IP addresses have been changed.

Any advice on the changes required would be appreciated.

Thanks


****************************
SIP dialogue with firewall on
U 58.28.001.001:5060 -> 147.202.001.001:5060INVITE
sip:44556644 at domain.com:5060;user=phone SIP/2.0..Via: SIP/2.0/UDP
192.168.1.102;branch=z9hG4bK31ee9ba27B17140D..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..To:
<sip:44556644 at domain.com;user=phone>..CSeq: 1 INVITE..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..Contact:
<sip:44556648 at 192.168.1.102>..Allow: INVITE, ACK, BYE, CANCEL, OPTIONS,
INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Supported:
100rel,replaces..Allow-Events: talk,hold,conference..Max-Forwards:
70..Content-Type: application/sdp..Content-Length: 251....v=0..o=-
1216790239 1216790239 IN IP4 192.168.1.102..s=Polycom IP Phone..c=IN IP4
192.168.1.102..t=0 0..m=audio 2222 RTP/AVP 0 8 18
101..a=sendrecv..a=rtpmap:0 PCMU/8000..a=rtpmap:8 PCMA/8000..a=rtpmap:18
G729/8000..a=rtpmap:101 telephone-event/8000..

U 147.202.001.001:5060 -> 58.28.001.001:5060SIP/2.0 100 Giving a try..Via:
SIP/2.0/UDP
192.168.1.102;branch=z9hG4bK31ee9ba27B17140D;rport=5060;received=58.28.001.0
01..From: "CSB" <sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..To:
<sip:44556644 at domain.com;user=phone>..CSeq: 1 INVITE..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..Server: OpenSER (1.3.2-notls
(i386/linux))..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5065INVITE
sip:44556644 at 192.168.1.124:5065 SIP/2.0..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Via:
SIP/2.0/UDP 147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..From: "CSB" <sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..To:
<sip:44556644 at domain.com;user=phone>..CSeq: 1 INVITE..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..Contact:
<sip:44556648 at 58.28.001.001:5060>..Allow: INVITE, ACK, BYE, CANCEL, OPTIONS,
INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Supported:
100rel,replaces..Allow-Events: talk,hold,conference..Max-Forwards:
69..Content-Type: application/sdp..Content-Length: 253....v=0..o=-
1216790239 1216790239 IN IP4 192.168.1.102..s=Polycom IP Phone..c=IN IP4
147.202.001.001..t=0 0..m=audio 35982 RTP/AVP 0 8 18
101..a=sendrecv..a=rtpmap:0 PCMU/8000..a=rtpmap:8 PCMA/8000..a=rtpmap:18
G729/8000..a=rtpmap:101 telephone-event/8000..

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 100 Trying..To:
<sip:44556644 at domain.com;user=phone>..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 180 Ringing..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5060SIP/2.0 180 Ringing..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 147.202.001.001:5060 -> 58.28.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 58.28.001.001:5060 -> 147.202.001.001:5060ACK
sip:44556644 at 192.168.1.124:5065 SIP/2.0..Via: SIP/2.0/UDP
192.168.1.102;branch=z9hG4bK4b4d0d4aF803AD55..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..CSeq: 1
ACK..Call-ID: 7f806604-ea80e337-e14b8216 at 192.168.1.102..Contact:
<sip:44556648 at 192.168.1.102>..Allow: INVITE, ACK, BYE, CANCEL, OPTIONS,
INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Max-Forwards:
70..Content-Length: 0....

U 147.202.001.001:5060 -> 192.168.1.124:5065ACK
sip:44556644 at 192.168.1.124:5065 SIP/2.0..Record-Route:
<sip:147.202.001.001;lr=on;ftag=566CA8D1-4C8E0458>..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK4b4d0d4aF803AD55..Via: SIP/2.0/UDP
192.168.1.102;received=58.28.001.001;branch=z9hG4bK4b4d0d4aF803AD55..From:
"CSB" <sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..CSeq: 1
ACK..Call-ID: 7f806604-ea80e337-e14b8216 at 192.168.1.102..Contact:
<sip:44556648 at 192.168.1.102>..Allow: INVITE, ACK, BYE, CANCEL, OPTIONS,
INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Max-Forwards:
69..Content-Length: 0....

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 147.202.001.001:5060 -> 58.28.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bK07da.73971d95.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 147.202.001.001:5060 -> 58.28.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..From: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bK31ee9ba27B1714
0D..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 298748 298748 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16424 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 58.28.001.001:5065 -> 147.202.001.001:5060BYE
sip:44556648 at 58.28.001.001:5060 SIP/2.0..Via: SIP/2.0/UDP
192.168.1.124:5065;branch=z9hG4bK-947b0ac7..From:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..To: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 101 BYE..Max-Forwards:
70..Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..User-Agent:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5060BYE
sip:44556648 at 58.28.001.001:5060 SIP/2.0..Record-Route:
<sip:147.202.001.001;lr=on;ftag=e07209dc8d8de14fi5>..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bKc0cc.a198b237.0..Via: SIP/2.0/UDP
192.168.1.124:5065;received=58.28.001.001;branch=z9hG4bK-947b0ac7..From:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..To: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 101 BYE..Max-Forwards:
69..User-Agent: Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 58.28.001.001:5060 -> 147.202.001.001:5060SIP/2.0 200 OK..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bKc0cc.a198b237.0..Via: SIP/2.0/UDP
192.168.1.124:5065;received=58.28.001.001;branch=z9hG4bK-947b0ac7..From:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..To: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..CSeq: 101 BYE..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..Contact:
<sip:44556648 at 192.168.1.102>..Record-Route:
<sip:147.202.001.001;lr=on;ftag=e07209dc8d8de14fi5>..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5065SIP/2.0 200 OK..Via: SIP/2.0/UDP
192.168.1.124:5065;received=58.28.001.001;branch=z9hG4bK-947b0ac7..From:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..To: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..CSeq: 101 BYE..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..Contact:
<sip:44556648 at 58.28.001.001:5060>..Record-Route:
<sip:147.202.001.001;lr=on;ftag=e07209dc8d8de14fi5>..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Content-Length: 0....

U 58.28.001.001:5065 -> 147.202.001.001:5060BYE
sip:44556648 at 58.28.001.001:5060 SIP/2.0..Via: SIP/2.0/UDP
192.168.1.124:5065;branch=z9hG4bK-947b0ac7..From:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..To: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..CSeq: 101 BYE..Max-Forwards:
70..Route:
<sip:147.202.001.001:5060;nat=yes;ftag=566CA8D1-4C8E0458;lr=on>..User-Agent:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5065SIP/2.0 200 OK..Via: SIP/2.0/UDP
192.168.1.124:5065;received=58.28.001.001;branch=z9hG4bK-947b0ac7..From:
<sip:44556644 at domain.com;user=phone>;tag=e07209dc8d8de14fi5..To: "CSB"
<sip:44556648 at domain.com>;tag=566CA8D1-4C8E0458..CSeq: 101 BYE..Call-ID:
7f806604-ea80e337-e14b8216 at 192.168.1.102..Contact:
<sip:44556648 at 58.28.001.001:5060>..Record-Route:
<sip:147.202.001.001;lr=on;ftag=e07209dc8d8de14fi5>..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Content-Length: 0....


**************************************
SIP dialogue with Firewall off

U 58.28.001.001:5060 -> 147.202.001.001:5060INVITE
sip:44556644 at domain.com:5060;user=phone SIP/2.0..Via: SIP/2.0/UDP
192.168.1.102;branch=z9hG4bKca52e47AD4AD366..From: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..To:
<sip:44556644 at domain.com;user=phone>..CSeq: 1 INVITE..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..Contact:
<sip:44556648 at 192.168.1.102>..Allow: INVITE, ACK, BYE, CANCEL, OPTIONS,
INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Supported:
100rel,replaces..Allow-Events: talk,hold,conference..Max-Forwards:
70..Content-Type: application/sdp..Content-Length: 251....v=0..o=-
1216790431 1216790431 IN IP4 192.168.1.102..s=Polycom IP Phone..c=IN IP4
192.168.1.102..t=0 0..m=audio 2224 RTP/AVP 0 8 18
101..a=sendrecv..a=rtpmap:0 PCMU/8000..a=rtpmap:8 PCMA/8000..a=rtpmap:18
G729/8000..a=rtpmap:101 telephone-event/8000..

U 147.202.001.001:5060 -> 58.28.001.001:5060SIP/2.0 100 Giving a try..Via:
SIP/2.0/UDP
192.168.1.102;branch=z9hG4bKca52e47AD4AD366;rport=5060;received=58.28.001.00
1..From: "CSB" <sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..To:
<sip:44556644 at domain.com;user=phone>..CSeq: 1 INVITE..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..Server: OpenSER (1.3.2-notls
(i386/linux))..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5065INVITE
sip:44556644 at 192.168.1.124:5065 SIP/2.0..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..Via:
SIP/2.0/UDP 147.202.001.001;branch=z9hG4bKf294.1cda4646.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bKca52e47AD4AD36
6..From: "CSB" <sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..To:
<sip:44556644 at domain.com;user=phone>..CSeq: 1 INVITE..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..Contact:
<sip:44556648 at 58.28.001.001:5060>..Allow: INVITE, ACK, BYE, CANCEL, OPTIONS,
INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Supported:
100rel,replaces..Allow-Events: talk,hold,conference..Max-Forwards:
69..Content-Type: application/sdp..Content-Length: 253....v=0..o=-
1216790431 1216790431 IN IP4 192.168.1.102..s=Polycom IP Phone..c=IN IP4
147.202.001.001..t=0 0..m=audio 35984 RTP/AVP 0 8 18
101..a=sendrecv..a=rtpmap:0 PCMU/8000..a=rtpmap:8 PCMA/8000..a=rtpmap:18
G729/8000..a=rtpmap:101 telephone-event/8000..

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 100 Trying..To:
<sip:44556644 at domain.com;user=phone>..From: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bKf294.1cda4646.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bKca52e47AD4AD36
6..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 180 Ringing..To:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..From: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bKf294.1cda4646.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bKca52e47AD4AD36
6..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5060SIP/2.0 180 Ringing..To:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..From: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bKca52e47AD4AD36
6..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..From: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bKf294.1cda4646.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bKca52e47AD4AD36
6..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 317989 317989 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16426 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 147.202.001.001:5060 -> 58.28.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..From: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bKca52e47AD4AD36
6..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..Contact:
<sip:44556644 at 58.28.001.001:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 209..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 317989 317989 IN IP4 192.168.1.124..s=-..c=IN
IP4 147.202.001.001..t=0 0..m=audio 35984 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 58.28.001.001:5060 -> 147.202.001.001:5060ACK
sip:44556644 at 58.28.001.001:5065 SIP/2.0..Via: SIP/2.0/UDP
192.168.1.102;branch=z9hG4bK9bb7064fBA56088E..From: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..To:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..CSeq: 1
ACK..Call-ID: 26e8c161-7e674928-90cba56b at 192.168.1.102..Contact:
<sip:44556648 at 192.168.1.102>..Allow: INVITE, ACK, BYE, CANCEL, OPTIONS,
INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Max-Forwards:
70..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5065ACK
sip:44556644 at 58.28.001.001:5065 SIP/2.0..Record-Route:
<sip:147.202.001.001;lr=on;ftag=3D7BF99A-F3B3ACE5>..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bKf294.1cda4646.2..Via: SIP/2.0/UDP
192.168.1.102;received=58.28.001.001;branch=z9hG4bK9bb7064fBA56088E..From:
"CSB" <sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..To:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..CSeq: 1
ACK..Call-ID: 26e8c161-7e674928-90cba56b at 192.168.1.102..Contact:
<sip:44556648 at 192.168.1.102>..Allow: INVITE, ACK, BYE, CANCEL, OPTIONS,
INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Max-Forwards:
69..Content-Length: 0....

U 58.28.001.001:5065 -> 147.202.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..From: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bKf294.1cda4646.0..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bKca52e47AD4AD36
6..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..Contact:
<sip:44556644 at 192.168.1.124:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 208..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 317989 317989 IN IP4 192.168.1.124..s=-..c=IN
IP4 192.168.1.124..t=0 0..m=audio 16426 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 147.202.001.001:5060 -> 58.28.001.001:5060SIP/2.0 200 OK..To:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..From: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 1 INVITE..Via: SIP/2.0/UDP
192.168.1.102;rport=5060;received=58.28.001.001;branch=z9hG4bKca52e47AD4AD36
6..Record-Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..Contact:
<sip:44556644 at 58.28.001.001:5065>..Server:
Linksys/SPA962-5.1.18(SC)..Content-Length: 209..Allow: ACK, BYE, CANCEL,
INFO, INVITE, NOTIFY, OPTIONS, REFER..Supported: replaces..Content-Type:
application/sdp....v=0..o=- 317989 317989 IN IP4 192.168.1.124..s=-..c=IN
IP4 147.202.001.001..t=0 0..m=audio 35984 RTP/AVP 0 101..a=rtpmap:0
PCMU/8000..a=rtpmap:101 telephone-event/8000..a=fmtp:101
0-15..a=ptime:30..a=sendrecv..

U 58.28.001.001:5065 -> 147.202.001.001:5060BYE
sip:44556648 at 58.28.001.001:5060 SIP/2.0..Via: SIP/2.0/UDP
192.168.1.124:5065;branch=z9hG4bK-6829d146..From:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..To: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 101 BYE..Max-Forwards:
70..Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..User-Agent:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5060BYE
sip:44556648 at 58.28.001.001:5060 SIP/2.0..Record-Route:
<sip:147.202.001.001;lr=on;ftag=9f9da889431cd5afi5>..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bKac76.c88550f.0..Via: SIP/2.0/UDP
192.168.1.124:5065;received=58.28.001.001;branch=z9hG4bK-6829d146..From:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..To: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 101 BYE..Max-Forwards:
69..User-Agent: Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 58.28.001.001:5060 -> 147.202.001.001:5060SIP/2.0 200 OK..Via: SIP/2.0/UDP
147.202.001.001;branch=z9hG4bKac76.c88550f.0..Via: SIP/2.0/UDP
192.168.1.124:5065;received=58.28.001.001;branch=z9hG4bK-6829d146..From:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..To: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..CSeq: 101 BYE..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..Contact:
<sip:44556648 at 192.168.1.102>..Record-Route:
<sip:147.202.001.001;lr=on;ftag=9f9da889431cd5afi5>..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5065SIP/2.0 200 OK..Via: SIP/2.0/UDP
192.168.1.124:5065;received=58.28.001.001;branch=z9hG4bK-6829d146..From:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..To: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..CSeq: 101 BYE..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..Contact:
<sip:44556648 at 58.28.001.001:5060>..Record-Route:
<sip:147.202.001.001;lr=on;ftag=9f9da889431cd5afi5>..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Content-Length: 0....

U 58.28.001.001:5065 -> 147.202.001.001:5060BYE
sip:44556648 at 58.28.001.001:5060 SIP/2.0..Via: SIP/2.0/UDP
192.168.1.124:5065;branch=z9hG4bK-6829d146..From:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..To: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..CSeq: 101 BYE..Max-Forwards:
70..Route:
<sip:147.202.001.001:5060;nat=yes;ftag=3D7BF99A-F3B3ACE5;lr=on>..User-Agent:
Linksys/SPA962-5.1.18(SC)..Content-Length: 0....

U 147.202.001.001:5060 -> 58.28.001.001:5065SIP/2.0 200 OK..Via: SIP/2.0/UDP
192.168.1.124:5065;received=58.28.001.001;branch=z9hG4bK-6829d146..From:
<sip:44556644 at domain.com;user=phone>;tag=9f9da889431cd5afi5..To: "CSB"
<sip:44556648 at domain.com>;tag=3D7BF99A-F3B3ACE5..CSeq: 101 BYE..Call-ID:
26e8c161-7e674928-90cba56b at 192.168.1.102..Contact:
<sip:44556648 at 58.28.001.001:5060>..Record-Route:
<sip:147.202.001.001;lr=on;ftag=9f9da889431cd5afi5>..User-Agent:
PolycomSoundPointIP-SPIP_320-UA/2.1.1.0037..Content-Length: 0....

**************************
iptables config

$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Rule 0 (tun0,tun1,tun2)
#
echo "Rule 0 (tun0,tun1,tun2)"
#
#
#
$IPTABLES -N In_RULE_0
$IPTABLES -A INPUT  -i tun0  -m state --state NEW  -j In_RULE_0
$IPTABLES -A INPUT  -i tun1  -m state --state NEW  -j In_RULE_0
$IPTABLES -A INPUT  -i tun2  -m state --state NEW  -j In_RULE_0
$IPTABLES -A FORWARD  -i tun0  -m state --state NEW  -j In_RULE_0
$IPTABLES -A FORWARD  -i tun1  -m state --state NEW  -j In_RULE_0
$IPTABLES -A FORWARD  -i tun2  -m state --state NEW  -j In_RULE_0
$IPTABLES -A In_RULE_0  -j LOG  --log-level warning --log-prefix "RULE 0 --
ACCEPT "
$IPTABLES -A In_RULE_0  -j ACCEPT
$IPTABLES -N Out_RULE_0
$IPTABLES -A OUTPUT  -o tun0  -m state --state NEW  -j Out_RULE_0
$IPTABLES -A OUTPUT  -o tun1  -m state --state NEW  -j Out_RULE_0
$IPTABLES -A OUTPUT  -o tun2  -m state --state NEW  -j Out_RULE_0
$IPTABLES -A FORWARD  -o tun0  -m state --state NEW  -j Out_RULE_0
$IPTABLES -A FORWARD  -o tun1  -m state --state NEW  -j Out_RULE_0
$IPTABLES -A FORWARD  -o tun2  -m state --state NEW  -j Out_RULE_0
$IPTABLES -A Out_RULE_0  -j LOG  --log-level warning --log-prefix "RULE 0 --
ACCEPT "
$IPTABLES -A Out_RULE_0  -j ACCEPT
$IPTABLES -A Out_RULE_0  -j ACCEPT
#
# Rule 1 (lo)
#
echo "Rule 1 (lo)"
#
#
#
$IPTABLES -N In_RULE_1
$IPTABLES -A INPUT  -i lo -p icmp  -m icmp  --icmp-type any  -m state
--state NEW  -j In_RULE_1
$IPTABLES -A INPUT  -i lo -p tcp -m tcp  -m multiport  --dports
25060,8008,25,443,80,22,3306,5060  -m state --state NEW  -j In_RULE_1
#$IPTABLES -A INPUT  -i lo -p udp -m udp  -m multiport  --dports 5060,1813
-m state --state NEW  -j In_RULE_1
$IPTABLES -A INPUT  -i lo -p udp -m udp  -m multiport  --dports 1:55000  -m
state --state NEW  -j In_RULE_1
$IPTABLES -A In_RULE_1  -j LOG  --log-level warning --log-prefix "RULE 1 --
ACCEPT "
$IPTABLES -A In_RULE_1  -j ACCEPT
$IPTABLES -N Out_RULE_1
$IPTABLES -A OUTPUT  -o lo -p icmp  -m icmp  --icmp-type any  -m state
--state NEW  -j Out_RULE_1
$IPTABLES -A OUTPUT  -o lo -p tcp -m tcp  -m multiport  --dports
25060,8008,25,443,80,22,3306,5060  -m state --state NEW  -j Out_RULE_1
#$IPTABLES -A OUTPUT  -o lo -p udp -m udp  -m multiport  --dports 5060,1813
-m state --state NEW  -j Out_RULE_1
$IPTABLES -A OUTPUT  -o lo -p udp -m udp  -m multiport  --dports 1:55000  -m
state --state NEW  -j Out_RULE_1
$IPTABLES -A Out_RULE_1  -j LOG  --log-level warning --log-prefix "RULE 1 --
ACCEPT "
$IPTABLES -A Out_RULE_1  -j ACCEPT
#
# Rule 2 (eth0)
#
echo "Rule 2 (eth0)"
#
#
#
$IPTABLES -N Out_RULE_2
$IPTABLES -A OUTPUT  -o eth0  -d 10.8.1.1  -m state --state NEW  -j
Out_RULE_2
$IPTABLES -A FORWARD  -o eth0  -d 10.8.1.1  -m state --state NEW  -j
Out_RULE_2
$IPTABLES -A Out_RULE_2  -j LOG  --log-level warning --log-prefix "RULE 2 --
ACCEPT "
$IPTABLES -A Out_RULE_2  -j ACCEPT
#
# Rule 3 (eth0)
#
echo "Rule 3 (eth0)"
#
# ping test for nagios
#
$IPTABLES -N Cid485B0E561900.0
$IPTABLES -A INPUT  -i eth0  -d 147.202.001.001  -m state --state NEW  -j
Cid485B0E561900.0
$IPTABLES -N Cid485B0E561900.1
$IPTABLES -A Cid485B0E561900.0 -p icmp  -m icmp  --icmp-type any  -j
Cid485B0E561900.1
$IPTABLES -A Cid485B0E561900.0 -p tcp -m tcp  -m multiport  --dports 25,3306
-j Cid485B0E561900.1
$IPTABLES -N In_RULE_3
$IPTABLES -A Cid485B0E561900.1  -s 203.89.001.001  -j In_RULE_3
$IPTABLES -A Cid485B0E561900.1  -s 58.28.001.001  -j In_RULE_3
$IPTABLES -A Cid485B0E561900.1  -s 64.38.001.001  -j In_RULE_3
$IPTABLES -A In_RULE_3  -j LOG  --log-level warning --log-prefix "RULE 3 --
ACCEPT "
$IPTABLES -A In_RULE_3  -j ACCEPT
#
echo "Rule 4 (eth0)"
#
# ping test for nagios
#
$IPTABLES -N Cid485B0E6A1900.0
$IPTABLES -A OUTPUT  -o eth0  -s 147.202.001.001  -m state --state NEW  -j
Cid485B0E6A1900.0
$IPTABLES -N Cid485B0E6A1900.1
$IPTABLES -A Cid485B0E6A1900.0 -p icmp  -m icmp  --icmp-type any  -j
Cid485B0E6A1900.1
$IPTABLES -A Cid485B0E6A1900.0 -p tcp -m tcp  -m multiport  --dports 25,3306
-j Cid485B0E6A1900.1
$IPTABLES -N Out_RULE_4
$IPTABLES -A Cid485B0E6A1900.1  -d 203.89.001.001  -j Out_RULE_4
$IPTABLES -A Cid485B0E6A1900.1  -d 58.28.001.001  -j Out_RULE_4
$IPTABLES -A Cid485B0E6A1900.1  -d 64.38.001.001  -j Out_RULE_4
$IPTABLES -A Out_RULE_4  -j LOG  --log-level warning --log-prefix "RULE 4 --
ACCEPT "
$IPTABLES -A Out_RULE_4  -j ACCEPT
#
# Rule 5 (eth0)
#
echo "Rule 5 (eth0)"
#
#
#
$IPTABLES -N In_RULE_5
$IPTABLES -A INPUT  -i eth0 -p tcp -m tcp  -m multiport  -d 147.202.001.001
--dports 5060,22,443,80,53,25060,8008  -m state --state NEW  -j In_RULE_5
#$IPTABLES -A INPUT  -i eth0 -p udp -m udp  -d 147.202.001.001  --dport
10000:20000  -m state --state NEW  -j In_RULE_5
#$IPTABLES -A INPUT  -i eth0 -p udp -m udp  -d 147.202.001.001  --dport
35000:36000  -m state --state NEW  -j In_RULE_5
#$IPTABLES -A INPUT  -i eth0 -p udp -m udp  -m multiport  -d 147.202.001.001
--dports 1194,5065,5060,53,10000:20000,35000:36000  -m state --state NEW  -j
In_RULE_5
$IPTABLES -A INPUT  -i eth0 -p udp -m udp  -m multiport --dports 1:55000  -m
state --state NEW  -j In_RULE_5
$IPTABLES -A In_RULE_5  -j LOG  --log-level warning --log-prefix "RULE 5 --
ACCEPT "
$IPTABLES -A In_RULE_5  -j ACCEPT
#
# Rule 6 (eth0)
#
echo "Rule 6 (eth0)"
#
#
#
$IPTABLES -N Out_RULE_6
$IPTABLES -A OUTPUT  -o eth0 -p tcp -m tcp  -m multiport  -s 147.202.001.001
--dports 22,53,80,443,5060,8008,25060,25  -m state --state NEW  -j
Out_RULE_6
#$IPTABLES -A OUTPUT  -o eth0 -p udp -m udp  -s 147.202.001.001  --dport
10000:20000  -m state --state NEW  -j Out_RULE_6
#$IPTABLES -A OUTPUT  -o eth0 -p udp -m udp  -s 147.202.001.001  --dport
35000:36000  -m state --state NEW  -j Out_RULE_6
#$IPTABLES -A OUTPUT  -o eth0 -p udp -m udp  -m multiport  -s
147.202.001.001  --dports 53,1194,5060,5065,1813,123,10000:20000,35000:36000
-m state --state NEW  -j Out_RULE_6
$IPTABLES -A OUTPUT  -o eth0 -p udp -m udp  -m multiport  --dports 1:55000
-m state --state NEW  -j Out_RULE_6
$IPTABLES -A Out_RULE_6  -j LOG  --log-level warning --log-prefix "RULE 6 --
ACCEPT "
$IPTABLES -A Out_RULE_6  -j ACCEPT
#
# Rule 7 (global)
#
echo "Rule 7 (global)"
#
#
#
$IPTABLES -N RULE_7
$IPTABLES -A OUTPUT  -j RULE_7
$IPTABLES -A INPUT  -j RULE_7
$IPTABLES -A FORWARD  -j RULE_7
$IPTABLES -A RULE_7  -j LOG  --log-level warning --log-prefix "RULE 7 --
DENY "
$IPTABLES -A RULE_7  -j DROP
#
#

More information about the Users mailing list