Discussion:
TLS port problem
darthzejdr
2012-09-25 08:04:15 UTC
Permalink
Hi,



I am testing TLS with SipX and have the following problem:



SipX server is not listening on port 5061. I have to manualy open port in
iptables for it to start working. Is there any way i can open the port from
web console? The problem is that the rule gets overwritten at some
point(either time or when i added second server to cluster) and i have to
add it again.



I've ran /etc/init.d/iptables save, and the rule stays there after reboot,
but i think sipx overwrites it when it changes iptables.



Is there any way to open tcp 5061 from web interface?





Log of all actions:

Default install from iso, set network and domain.

All tests done using Bria, 3 extensions, calls to eachother, 2 min call
length



Basic calls

Started sip registrar and sip proxy(automaticaly) on server 1

Extensions register with domain and all tested calls work



downloaded root certificate and installed it in "Trusted Root Certification
Authorities" on local computer

Changed transport to TLS, Bria won't register.

Trying to telnet to port 5060 - connects

Trying to telnet to port 5061 - doesn't connect



iptables -A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT

/etc/init.d/iptables save



After setting that TLS works, and all tested calls work



added server2 in system servers

installed and added server to cluster



TLS doesn't work, rule missing from iptables(checked next day, since after
adding server to cluster stopped work)







Thx,

Ivan
George Niculae
2012-09-25 08:07:42 UTC
Permalink
Post by darthzejdr
Hi,
SipX server is not listening on port 5061. I have to manualy open port in
iptables for it to start working. Is there any way i can open the port from
web console? The problem is that the rule gets overwritten at some
point(either time or when i added second server to cluster) and i have to
add it again.
I've ran /etc/init.d/iptables save, and the rule stays there after reboot,
but i think sipx overwrites it when it changes iptables.
Is there any way to open tcp 5061 from web interface?
Default install from iso, set network and domain.
All tests done using Bria, 3 extensions, calls to eachother, 2 min call
length
Basic calls
Started sip registrar and sip proxy(automaticaly) on server 1
Extensions register with domain and all tested calls work
downloaded root certificate and installed it in "Trusted Root Certification
Authorities" on local computer
Changed transport to TLS, Bria won't register.
Trying to telnet to port 5060 - connects
Trying to telnet to port 5061 - doesn't connect
iptables -A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT
/etc/init.d/iptables save
After setting that TLS works, and all tested calls work
added server2 in system servers
installed and added server to cluster
TLS doesn't work, rule missing from iptables(checked next day, since after
adding server to cluster stopped work)
Hi Ivan,

thanks for testing / getting back! I am going to commit a fix for port
5061 to be configurable from admin UI (and to be preserved when config
changes)

Regards
George
darthzejdr
2012-09-25 08:43:54 UTC
Permalink
Hi,

Looking at output of iptables, i can see that 5061 is open, but for udp. Is
it possible that someone put the wrong protocol there?

-A INPUT -s 192.168.0.46/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.47/32 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 50000:50050 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 30000:31000 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -m state --state NEW,ESTABLISHED
-j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 5061 -m state --state NEW,ESTABLISHED
-j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 5060 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 69 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

-----Original Message-----
From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of George Niculae
Sent: Tuesday, September 25, 2012 10:08 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] TLS port problem
Post by darthzejdr
Hi,
SipX server is not listening on port 5061. I have to manualy open port
in iptables for it to start working. Is there any way i can open the
port from web console? The problem is that the rule gets overwritten
at some point(either time or when i added second server to cluster)
and i have to add it again.
I've ran /etc/init.d/iptables save, and the rule stays there after
reboot, but i think sipx overwrites it when it changes iptables.
Is there any way to open tcp 5061 from web interface?
Default install from iso, set network and domain.
All tests done using Bria, 3 extensions, calls to eachother, 2 min
call length
Basic calls
Started sip registrar and sip proxy(automaticaly) on server 1
Extensions register with domain and all tested calls work
downloaded root certificate and installed it in "Trusted Root
Certification Authorities" on local computer
Changed transport to TLS, Bria won't register.
Trying to telnet to port 5060 - connects
Trying to telnet to port 5061 - doesn't connect
iptables -A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT
/etc/init.d/iptables save
After setting that TLS works, and all tested calls work
added server2 in system servers
installed and added server to cluster
TLS doesn't work, rule missing from iptables(checked next day, since
after adding server to cluster stopped work)
Hi Ivan,

thanks for testing / getting back! I am going to commit a fix for port
5061 to be configurable from admin UI (and to be preserved when config
changes)

Regards
George
George Niculae
2012-09-25 08:45:18 UTC
Permalink
Post by darthzejdr
Hi,
Looking at output of iptables, i can see that 5061 is open, but for udp. Is
it possible that someone put the wrong protocol there?
Yep, that's the problem. Will provide the fix and let you know when
RPM published, then you could yum update and retest (should be around
30 mins)

Thanks
George
George Niculae
2012-09-25 09:10:13 UTC
Permalink
Post by George Niculae
Post by darthzejdr
Hi,
Looking at output of iptables, i can see that 5061 is open, but for udp. Is
it possible that someone put the wrong protocol there?
Yep, that's the problem. Will provide the fix and let you know when
RPM published, then you could yum update and retest (should be around
30 mins)
RPMs with fix published, could you yum update, restart sipXconfig and
then check iptables

Thanks
George
George Niculae
2012-09-25 09:19:21 UTC
Permalink
Post by George Niculae
Post by George Niculae
Post by darthzejdr
Hi,
Looking at output of iptables, i can see that 5061 is open, but for udp. Is
it possible that someone put the wrong protocol there?
Yep, that's the problem. Will provide the fix and let you know when
RPM published, then you could yum update and retest (should be around
30 mins)
RPMs with fix published, could you yum update, restart sipXconfig and
then check iptables
Actually just to be sure new setting replicated OK you should go in
System > Firewall and push apply button

Thanks
George
darthzejdr
2012-09-25 11:43:00 UTC
Permalink
Ive done yum update, but atm i have a different problem. I've disabled sip
registrar, and that removed all the rules from firewall. The problem is
after i reenabled the registrar, the rules aren't getting added to iptables.
I tried restarting the servers, disabling and enabling the firewall, even
removing the second server from cluster. Nothing helps

[***@sipx1 ~]# iptables --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N syn-flood
-A INPUT -s 192.168.0.46/32 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.47/32 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 50000:50050 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 69 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

-----Original Message-----
From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of George Niculae
Sent: Tuesday, September 25, 2012 11:19 AM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] TLS port problem
Post by George Niculae
Post by George Niculae
Post by darthzejdr
Hi,
Looking at output of iptables, i can see that 5061 is open, but for
udp. Is it possible that someone put the wrong protocol there?
Yep, that's the problem. Will provide the fix and let you know when
RPM published, then you could yum update and retest (should be around
30 mins)
RPMs with fix published, could you yum update, restart sipXconfig and
then check iptables
Actually just to be sure new setting replicated OK you should go in System >
Firewall and push apply button

Thanks
George
George Niculae
2012-09-25 11:48:34 UTC
Permalink
Post by darthzejdr
Ive done yum update, but atm i have a different problem. I've disabled sip
registrar, and that removed all the rules from firewall. The problem is
after i reenabled the registrar, the rules aren't getting added to iptables.
I tried restarting the servers, disabling and enabling the firewall, even
removing the second server from cluster. Nothing helps
Do a yum clean all and then yum update, I published another RPM
minutes ago. Let me know if it gets updated

Thanks
George
darthzejdr
2012-09-25 12:31:29 UTC
Permalink
Done the yum things, went into telephony, turned registrar on, clicked
apply, went to servers and send profiles.

Still no 5060 or 5061 rules in ipconfig.

Rebooted server and the rules are there :)

Thank you

[***@sipx1 ~]# iptables --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N syn-flood
-A INPUT -s 192.168.0.46/32 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 50000:50050 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 30000:31000 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5061 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 69 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT


-----Original Message-----
From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of George Niculae
Sent: Tuesday, September 25, 2012 1:49 PM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] TLS port problem
Post by darthzejdr
Ive done yum update, but atm i have a different problem. I've disabled
sip registrar, and that removed all the rules from firewall. The
problem is after i reenabled the registrar, the rules aren't getting added
to iptables.
Post by darthzejdr
I tried restarting the servers, disabling and enabling the firewall,
even removing the second server from cluster. Nothing helps
Do a yum clean all and then yum update, I published another RPM minutes ago.
Let me know if it gets updated

Thanks
George
George Niculae
2012-09-25 12:34:42 UTC
Permalink
Post by darthzejdr
Done the yum things, went into telephony, turned registrar on, clicked
apply, went to servers and send profiles.
Still no 5060 or 5061 rules in ipconfig.
Rebooted server and the rules are there :)
service sipxconfig restart only needed instead reboot server. Thanks
for getting back!

George
Tony Graziano
2012-09-25 12:36:34 UTC
Permalink
Typically when I do any type of yum update on sipx, I use the
following procedure:

1. Stop sipx services: sipxagent -d stop_sipxecs
2. Update via YUM: yum update
3. If new kernel, then reboot, otherwise, start sipx services:
sipxagent -d start_sipxecs

Once sipxconfig UI is reachable, do: System>Server>[Check the server
updated] and click "Send Profiles".
Post by darthzejdr
Done the yum things, went into telephony, turned registrar on, clicked
apply, went to servers and send profiles.
Still no 5060 or 5061 rules in ipconfig.
Rebooted server and the rules are there :)
Thank you
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N syn-flood
-A INPUT -s 192.168.0.46/32 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 50000:50050 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 30000:31000 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5061 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 69 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-----Original Message-----
Sent: Tuesday, September 25, 2012 1:49 PM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] TLS port problem
Post by darthzejdr
Ive done yum update, but atm i have a different problem. I've disabled
sip registrar, and that removed all the rules from firewall. The
problem is after i reenabled the registrar, the rules aren't getting added
to iptables.
Post by darthzejdr
I tried restarting the servers, disabling and enabling the firewall,
even removing the second server from cluster. Nothing helps
Do a yum clean all and then yum update, I published another RPM minutes ago.
Let me know if it gets updated
Thanks
George
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013!
--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net
George Niculae
2012-09-25 16:06:52 UTC
Permalink
On Tue, Sep 25, 2012 at 3:36 PM, Tony Graziano
Post by Tony Graziano
Typically when I do any type of yum update on sipx, I use the
1. Stop sipx services: sipxagent -d stop_sipxecs
2. Update via YUM: yum update
sipxagent -d start_sipxecs
Once sipxconfig UI is reachable, do: System>Server>[Check the server
updated] and click "Send Profiles".
Right, this is the safer way to do.

Ivan, I wonder if you hit this issue when testing Bria and TLS:

http://track.sipfoundry.org/browse/XX-9754

It looks like after 30secs or something proxy dies, let me know if you
encounter it

Thanks
George
George Niculae
2012-09-26 08:15:42 UTC
Permalink
Post by George Niculae
http://track.sipfoundry.org/browse/XX-9754
It looks like after 30secs or something proxy dies, let me know if you
encounter it
If that's the case, do a yum update and recheck, just committed code
that should solve this

Thanks
George

darthzejdr
2012-09-25 12:32:57 UTC
Permalink
Reposting, enter broe for some reason in previous post
[***@sipx1 ~]# iptables --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N syn-flood
-A INPUT -s 192.168.0.46/32 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 20 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 50000:50050 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 30000:31000 -m state --state
NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5060 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 5061 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 5060 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 69 -m state --state NEW,ESTABLISHED
-j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT


-----Original Message-----
From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of George Niculae
Sent: Tuesday, September 25, 2012 1:49 PM
To: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] TLS port problem
Post by darthzejdr
Ive done yum update, but atm i have a different problem. I've disabled sip
registrar, and that removed all the rules from firewall. The problem is
after i reenabled the registrar, the rules aren't getting added to iptables.
I tried restarting the servers, disabling and enabling the firewall, even
removing the second server from cluster. Nothing helps
Do a yum clean all and then yum update, I published another RPM
minutes ago. Let me know if it gets updated

Thanks
George
Loading...