SOLVED: Re: [svlug] lingo broadband phone behind linux router (icmp 36: time exceeded in-transit)
Erik Steffl
steffl at bigfoot.com
Wed Jan 5 12:59:39 PST 2005
for the archives:
sort of solved, Lingo device now works behind linux router (incoming,
outgoing calls, I get notified about voicemail on the phone connected to
Lingo device, it was able to update its firmware via tftp (as far as I
can tell)) even though I am not entirely sure why (and whether it's
going to work after reboot), I installed the shorewall firewall and the
webmin module for it and set up the port forwarding there (iptables -v
-L shows the same port forwarding as before).
URL: http://www.shorewall.net/
debian (unstable) packages: shorewall, shorewall-doc, webmin-shorewall
I can provide detailed info if anybody needs it (I'd put it in here
but I am not sure what's relevant and I definitely don't have a
definitive guide... (not even a draft)).
erik
Erik Steffl wrote:
> I am trying to make the Lingo (http://www.lingo.com) broadband phone
> work behind the linux firewall. It does not work, I am somewhat confused
> about why they asked me to forward ports 1024-1028 to Lingo (those are
> the first dynamically assigned ports, wouldn't they be used by services
> started on the router itself?).
>
> The only indication of what is possibly wrong is the error that I see
> in tcpdump: GE7-ar03-1019m-sfo.unitedlayer.com > jojda.zasran.com: icmp
> 36: time exceeded in-transit (only udp is forwarded, not icmp). And the
> fact that the VOIP never starts to work.
>
> Any ideas on how to set this up? The details of my setup as well as
> tcpdump output is below. Any pointers to docs (or solutions)
> appreciated. I've googled for various relevant terms and learned a lot
> about iptables and port forwarding etc. but nothing that would get me
> further.
>
> Here's my setup (not recommended but approved by Lingo):
>
> WAN: phone line - dsl modem - linux machine eth0 (no PPPoE, just
> straight ethernet)
>
> LAN: linux machine eth1 - netgear switch - Lingo (no other devices
> during testing of Lingo)
>
> Following ports are forwarded to Lingo device (at least I think so),
> that's what Lingo customer support told me it needs (they also told me
> it needs 123 and 53 but I guess it needs outbound connection on those
> ports, not port forwarding for inbound connections):
>
> 1024 1025 1026 1027
> 5060 5061 5062 5063 5064 5065
> 10000 10001 10002 10003 10004 10005
>
> the commands I use to set up the port forwarding:
>
> /sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d 198.144.206.234 \
> --dport $port -j DNAT --to $LINGO_IP:$port
> /sbin/iptables -A FORWARD -p udp -i eth0 -d $LINGO_IP --dport $port -j
> ACCEPT
>
> where $LINGO_IP is 192.168.0.200 and port is one of the ports above.
>
> Here's what works:
>
> - lingo gets an IP assigned by dhcp (192.168.0.200, based on MAC)
>
> - lingo responds on port 80 (admin/config interface), it says it's not
> conected to VOIP but other than that it does not indicate any errors.
>
> - lingo sends out _some_ requests out, at least some of it tftp
>
> - at least some port forwarding works because etherape shows trafic
> from Lingo to my linux router and out (to few IPs outside) and then
> traffic coming from those IPs it contacted all the way back to Lingo
> device.
>
> PROBLEM: the Lingo device never does whatever it needs to do and the
> VOIP led us never turned on.
>
> jojda:/home/erik# iptables -v -L
> Chain INPUT (policy ACCEPT 274K packets, 114M bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 420 packets, 26489 bytes)
> pkts bytes target prot opt in out source destination
> 118 64192 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:1024
> 120 65280 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:1025
> 33 11536 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:1026
> 29 9963 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:1027
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:5060
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:5061
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:5062
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:5063
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:5064
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:5065
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:10000
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:10001
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:10002
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:10003
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:10004
> 0 0 ACCEPT udp -- eth0 any anywhere
> 192.186.0.200 udp dpt:10005
>
> Chain OUTPUT (policy ACCEPT 267K packets, 52M bytes)
> pkts bytes target prot opt in out source destination
> jojda:/home/erik#
>
> ----------------------------------------------------------
> ----------------------------------------------------------
> ----------------------------------------------------------
> tcpdump of Lingo communication to router:
>
> length: 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
> Request from 00:0e:9b:80:78:cd, length: 300, xid:0x7bdf, secs:2, flags:
> [none]
> Client Ethernet Address: 00:0e:9b:80:78:cd [|bootp]
> 22:19:56.367633 IP (tos 0x10, ttl 64, id 0, offset 0, flags [none],
> length: 328) 192.168.0.1.bootps > 192.168.0.200.bootpc: BOOTP/DHCP,
> Reply, length: 300, xid:0x7bdf, secs:2, flags: [none]
> Your IP: 192.168.0.200
> Server IP: 192.168.0.1
> Client Ethernet Address: 00:0e:9b:80:78:cd [|bootp]
> 22:19:56.369013 arp who-has 192.168.0.200 tell 172.25.25.1
> 22:19:56.667219 arp reply 172.25.25.1 is-at 00:0e:9b:80:78:cd
> 22:19:56.668614 arp who-has 172.25.25.1 tell 172.25.25.1
> 22:19:56.671373 arp who-has 192.168.0.200 tell 172.25.25.1
> 22:19:57.008783 arp who-has 192.168.0.1 tell 192.168.0.200
> 22:19:57.008796 arp reply 192.168.0.1 is-at 00:50:ba:4d:1a:58
> 22:19:57.009978 IP (tos 0x0, ttl 64, id 6, offset 0, flags [none],
> length: 72) 192.168.0.200.1024 > 209.227.167.162.tftp: [udp sum ok] 44
> RRQ "U53V005.00.00_UTSTARCOM-GENERAL.CFG" octet
> 22:19:59.007120 IP (tos 0x0, ttl 64, id 7, offset 0, flags [none],
> length: 72) 192.168.0.200.1024 > 209.227.167.162.tftp: [udp sum ok] 44
> RRQ "U53V005.00.00_UTSTARCOM-GENERAL.CFG" octet
> 22:20:01.007061 IP (tos 0x0, ttl 64, id 8, offset 0, flags [none],
> length: 72) 192.168.0.200.1024 > 209.227.167.162.tftp: [udp sum ok] 44
> RRQ "U53V005.00.00_UTSTARCOM-GENERAL.CFG" octet
> 22:20:03.007013 IP (tos 0x0, ttl 64, id 9, offset 0, flags [none],
> length: 72) 192.168.0.200.1024 > 209.227.167.162.tftp: [udp sum ok] 44
> RRQ "U53V005.00.00_UTSTARCOM-GENERAL.CFG" octet
> 22:20:05.006970 IP (tos 0x0, ttl 64, id 10, offset 0, flags [none],
> length: 72) 192.168.0.200.1024 > 209.227.167.162.tftp: [udp sum ok] 44
> RRQ "U53V005.00.00_UTSTARCOM-GENERAL.CFG" octet
> 22:20:07.047374 IP (tos 0x0, ttl 64, id 26, offset 0, flags [none],
> length: 77) 192.168.0.200.1025 > 209.227.167.162.tftp: [udp sum ok] 49
> RRQ "U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG" octet
> 22:20:09.046891 IP (tos 0x0, ttl 64, id 27, offset 0, flags [none],
> length: 77) 192.168.0.200.1025 > 209.227.167.162.tftp: [udp sum ok] 49
> RRQ "U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG" octet
> 22:20:11.046849 IP (tos 0x0, ttl 64, id 28, offset 0, flags [none],
> length: 77) 192.168.0.200.1025 > 209.227.167.162.tftp: [udp sum ok] 49
> RRQ "U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG" octet
> 22:20:13.046804 IP (tos 0x0, ttl 64, id 29, offset 0, flags [none],
> length: 77) 192.168.0.200.1025 > 209.227.167.162.tftp: [udp sum ok] 49
> RRQ "U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG" octet
> 22:20:15.046763 IP (tos 0x0, ttl 64, id 30, offset 0, flags [none],
> length: 77) 192.168.0.200.1025 > 209.227.167.162.tftp: [udp sum ok] 49
> RRQ "U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG" octet
> 22:20:16.393728 IP (tos 0x0, ttl 64, id 1240, offset 0, flags [DF],
> length: 232) 192.168.0.1.who > 192.168.0.255.who: UDP, length: 204
> 22:20:17.083521 IP (tos 0x0, ttl 64, id 46, offset 0, flags [none],
> length: 88) 192.168.0.200.1026 > 209.227.167.162.tftp: 60 RRQ
> "000E9B8078/U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG"
> 22:20:19.086762 IP (tos 0x0, ttl 64, id 47, offset 0, flags [none],
> length: 88) 192.168.0.200.1026 > 209.227.167.162.tftp: 60 RRQ
> "000E9B8078/U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG"
> 22:20:21.086715 IP (tos 0x0, ttl 64, id 48, offset 0, flags [none],
> length: 88) 192.168.0.200.1026 > 209.227.167.162.tftp: 60 RRQ
> "000E9B8078/U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG"
> 22:20:23.086670 IP (tos 0x0, ttl 64, id 49, offset 0, flags [none],
> length: 88) 192.168.0.200.1026 > 209.227.167.162.tftp: 60 RRQ
> "000E9B8078/U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG"
> 22:20:25.086637 IP (tos 0x0, ttl 64, id 50, offset 0, flags [none],
> length: 88) 192.168.0.200.1026 > 209.227.167.162.tftp: 60 RRQ
> "000E9B8078/U53V005.00.00_UTSTARCOM-000E9B8078CD.CFG"
> 22:20:27.121639 IP (tos 0x0, ttl 64, id 66, offset 0, flags [none],
> length: 68) 192.168.0.200.1027 > 209.227.167.162.tftp: [udp sum ok] 40
> RRQ "U53V005.00.00_UTSTARCOM-600.CFG" octet
> 22:20:29.116460 IP (tos 0x0, ttl 64, id 67, offset 0, flags [none],
> length: 68) 192.168.0.200.1027 > 209.227.167.162.tftp: [udp sum ok] 40
> RRQ "U53V005.00.00_UTSTARCOM-600.CFG" octet
> 22:20:31.116406 IP (tos 0x0, ttl 64, id 68, offset 0, flags [none],
> length: 68) 192.168.0.200.1027 > 209.227.167.162.tftp: [udp sum ok] 40
> RRQ "U53V005.00.00_UTSTARCOM-600.CFG" octet
> 22:20:33.116366 IP (tos 0x0, ttl 64, id 69, offset 0, flags [none],
> length: 68) 192.168.0.200.1027 > 209.227.167.162.tftp: [udp sum ok] 40
> RRQ "U53V005.00.00_UTSTARCOM-600.CFG" octet
> 22:20:35.116334 IP (tos 0x0, ttl 64, id 70, offset 0, flags [none],
> length: 68) 192.168.0.200.1027 > 209.227.167.162.tftp: [udp sum ok] 40
> RRQ "U53V005.00.00_UTSTARCOM-600.CFG" octet
> 22:20:37.223817 IP (tos 0x0, ttl 64, id 80, offset 0, flags [none],
> length: 61) 192.168.0.200.1028 > ns.tsoft.net.domain: [udp sum ok] 1+
> A? sip.iprimus.net. (33)
> 22:20:37.236123 IP (tos 0x0, ttl 61, id 35631, offset 0, flags [none],
> length: 179) ns.tsoft.net.domain > 192.168.0.200.1028: 1 1/3/3
> sip.iprimus.net. A 209.227.167.230 (151)
> 22:20:37.238679 IP (tos 0x0, ttl 64, id 81, offset 0, flags [none],
> length: 61) 192.168.0.200.1029 > ns.tsoft.net.domain: [udp sum ok] 2+
> A? sip.iprimus.net. (33)
> 22:20:37.251824 IP (tos 0x0, ttl 61, id 35633, offset 0, flags [none],
> length: 179) ns.tsoft.net.domain > 192.168.0.200.1029: 2 1/3/3
> sip.iprimus.net. A 209.227.167.230 (151)
> 22:20:42.235024 arp who-has 192.168.0.200 tell 192.168.0.1
> 22:20:42.236369 arp reply 192.168.0.200 is-at 00:0e:9b:80:78:cd
>
> ----------------------------------------------------------
> ----------------------------------------------------------
> ----------------------------------------------------------
> tcpdump of eth0 (outside connection):
>
> 22:19:57.010020 IP (tos 0x0, ttl 63, id 6, offset 0, flags [none],
> length: 72) jojda.zasran.com.1024 > 209.227.167.162.tftp: [udp sum ok]
> 44 RRQ "U53V005.00.00_UTSTARCOM-GENERAL.CFG" octet
> 22:19:57.113838 IP (tos 0x0, ttl 50, id 5423, offset 0, flags [DF],
> length: 544) 209.227.167.162.36173 > jojda.zasran.com.1024: UDP, length:
> 516
> 22:19:57.113881 IP (tos 0x0, ttl 49, id 5423, offset 0, flags [DF],
> length: 544) jojda.zasran.com.36173 > 192.186.0.200.1024: UDP, length: 516
> 22:19:57.141984 IP (tos 0xc0, ttl 251, id 10089, offset 0, flags [none],
> length: 56) GE7-ar03-1019m-sfo.unitedlayer.com > jojda.zasran.com: icmp
> 36: time exceeded in-transit
> 22:19:57.142017 IP (tos 0xc0, ttl 250, id 10089, offset 0, flags [none],
> length: 56) jojda.zasran.com > 209.227.167.162: icmp 36: time exceeded
> in-transit
> 22:19:58.112441 IP (tos 0x0, ttl 50, id 5424, offset 0, flags [DF],
> length: 544) 209.227.167.162.36173 > jojda.zasran.com.1024: UDP, length:
> 516
> 22:19:58.112465 IP (tos 0x0, ttl 49, id 5424, offset 0, flags [DF],
> length: 544) jojda.zasran.com.36173 > 192.186.0.200.1024: UDP, length: 516
> 22:19:58.141677 IP (tos 0xc0, ttl 251, id 10094, offset 0, flags [none],
> length: 56) GE7-ar03-1019m-sfo.unitedlayer.com > jojda.zasran.com: icmp
> 36: time exceeded in-transit
> 22:19:58.141701 IP (tos 0xc0, ttl 250, id 10094, offset 0, flags [none],
> length: 56) jojda.zasran.com > 209.227.167.162: icmp 36: time exceeded
> in-transit
> 22:19:59.007145 IP (tos 0x0, ttl 63, id 7, offset 0, flags [none],
> length: 72) jojda.zasran.com.1024 > 209.227.167.162.tftp: [udp sum ok]
> 44 RRQ "U53V005.00.00_UTSTARCOM-GENERAL.CFG" octet
> 22:19:59.103741 IP (tos 0x0, ttl 50, id 5622, offset 0, flags [DF],
> length: 544) 209.227.167.162.36175 > jojda.zasran.com.1024: UDP, length:
> 516
> 22:19:59.103774 IP (tos 0x0, ttl 49, id 5622, offset 0, flags [DF],
> length: 544) jojda.zasran.com.36175 > 192.186.0.200.1024: UDP, length: 516
> 22:19:59.131421 IP (tos 0xc0, ttl 251, id 10101, offset 0, flags [none],
> length: 56) GE7-ar03-1019m-sfo.unitedlayer.com > jojda.zasran.com: icmp
> 36: time exceeded in-transit
> 22:19:59.131444 IP (tos 0xc0, ttl 250, id 10101, offset 0, flags [none],
> length: 56) jojda.zasran.com > 209.227.167.162: icmp 36: time exceeded
> in-transit
> 22:20:00.102191 IP (tos 0x0, ttl 50, id 5623, offset 0, flags [DF],
> length: 544) 209.227.167.162.36175 > jojda.zasran.com.1024: UDP, length:
> 516
> 22:20:00.102214 IP (tos 0x0, ttl 49, id 5623, offset 0, flags [DF],
> length: 544) jojda.zasran.com.36175 > 192.186.0.200.1024: UDP, length: 516
> 22:20:00.111983 IP (tos 0x0, ttl 50, id 5425, offset 0, flags [DF],
> length: 544) 209.227.167.162.36173 > jojda.zasran.com.1024: UDP, length:
> 516
> 22:20:00.112003 IP (tos 0x0, ttl 49, id 5425, offset 0, flags [DF],
> length: 544) jojda.zasran.com.36173 > 192.186.0.200.1024: UDP, length: 516
> 22:20:00.130961 IP (tos 0xc0, ttl 251, id 10117, offset 0, flags [none],
> length: 56) GE7-ar03-1019m-sfo.unitedlayer.com > jojda.zasran.com: icmp
> 36: time exceeded in-transit
> 22:20:00.130988 IP (tos 0xc0, ttl 250, id 10117, offset 0, flags [none],
> length: 56) jojda.zasran.com > 209.227.167.162: icmp 36: time exceeded
> in-transit
> 22:20:00.144336 IP (tos 0xc0, ttl 251, id 10118, offset 0, flags [none],
> length: 56) GE7-ar03-1019m-sfo.unitedlayer.com > jojda.zasran.com: icmp
> 36: time exceeded in-transit
> 22:20:00.144368 IP (tos 0xc0, ttl 250, id 10118, offset 0, flags [none],
> length: 56) jojda.zasran.com > 209.227.167.162: icmp 36: time exceeded
> in-transit
> ... more of the same ...
>
> any ideas?
>
> TIA,
>
> erik
>
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
>
More information about the svlug
mailing list