Iptables breaks a working VoIP phone?

Clint Savage herlo1 at gmail.com
Sun Oct 28 21:54:23 MDT 2007

On 10/28/07, Gabriel Gunderson <gabe at gundy.org> wrote:
> On Sun, 2007-10-28 at 17:16 -0600, Hans Fugal wrote:
> > On Sat, 27 Oct 2007 at 15:18 -0600, Kenneth Burgener wrote:
> > > As I mentioned I am fronting iptables with shorewall (to make the
> > > configuration easier).
> >
> > There's your first mistake. I'm in the minority I think, but IMHO
> > shorewall and friends are more trouble than they're worth. This
> > problem serves as a case in point.
> In general, I agree with this.  But whatever you use, make sure iptables
> has a debugging mode where everything is logged before dropped.  It's
> likely you will be able to look at your logs, see what is being dropped,
> and make changes to fix it.

I'd like to point out that what Gabe suggest is good, but only for a
temporary *troubleshooting* or validation that rule actually works.
The logging that iptables does is *very* verbose.  Do one LOG rule at
a time is my motto.

Might I suggest another couple switches to iptables that might help you further.

iptables -Z INPUT (or whatever chain you want to look at)
watch iptables -vL --line-numbers

I generally run these two commands together on one line and then try
my actions.  Sure you'll get some packets elsewhere, but you really
only care about your line.  If its not working, you now have the
line-numbers option on and it can help you to delete the rule...



More information about the PLUG mailing list