When rtpengine starts, it creates a new iptables chain (rtpengine) and a rule in the INPUT chain to pass all udp traffic to the rtpengine chain. Nothing wrong here, except:
It also changes the INPUT chain policy from DROP to ACCEPT. This may open up the host to outside attacks.
Tested with all nftables-* options on default (not specified).
Steps to reproduce the problem
Before (policy = DROP):
# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
55 52485 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
15 1744 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
...etc
Start rtpengine:
# systemctl start ngcp-rtpengine-daemon
After (policy = ACCEPT):
# iptables -nvL
Chain INPUT (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
2 620 rtpengine udp -- * * 0.0.0.0/0 0.0.0.0/0
132 113K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
237 29002 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
...etc
Chain rtpengine (1 references)
pkts bytes target prot opt in out source destination
2 620 RTPENGINE all -- * * 0.0.0.0/0 0.0.0.0/0 RTPENGINE id:0
Additional program output to the terminal or logs illustrating the issue
rtpengine version the issue has been seen with
12.2.1.0
Used distribution and its version
Debian 10
Linux kernel version used
4.19.0-25-amd64 (4.19.289)
CPU architecture issue was seen on (see
uname -m
)x86_64
Expected behaviour you didn't see
Not touching iptables' INPUT chain's policy.
Unexpected behaviour you saw
When rtpengine starts, it creates a new iptables chain (rtpengine) and a rule in the INPUT chain to pass all udp traffic to the rtpengine chain. Nothing wrong here, except:
It also changes the INPUT chain policy from DROP to ACCEPT. This may open up the host to outside attacks.
Tested with all nftables-* options on default (not specified).
Steps to reproduce the problem
Before (policy = DROP):
Start rtpengine:
After (policy = ACCEPT):
Additional program output to the terminal or logs illustrating the issue
No response
Anything else?
No response