SIP vs NAT, the configuration

SIP vs NAT, the configuration

[rebeca.martinez-garcia]

Hi all,

I have finally managed to configure my iptables so SIP clients under  
NAT can make calls outside and clients outside can call clients in the  
LAN.
The aim of this email is to post my configuration as a help for those  
trying to configure iptables in the same way.

Firstly, it is necessary to be sure that you have kernel support for  
modules nf_conntrack_sip and nf_nat_sip:

cng@cng:/etc/ser$ modprobe -l | grep sip
kernel/net/netfilter/nf_conntrack_sip.ko
kernel/net/ipv4/netfilter/nf_nat_sip.ko

If you do not have them, then you will need to build the kernel with  
support for them (but my kernel is 2.6.31 and they are by default).

So next step is to configure the iptables script. I have made comments  
so everybody can understand:

# Load modules:
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe nf_conntrack
/sbin/modprobe nf_nat

# To load nf_conntrack_sip and nf_nat_sip is important to respect the order:
# first nf_conntrack_sip and then nf_nat_sip.
# If your SIP connection is to dest. udp port 5060 then it is not  
necessary to # add "ports=5060,4060", but if you have the problem that  
is to another port
# that the SIP connection is to be done, then the structure is "ports=5060,xxx
# were xxx is your port. (I think you can add up to 8 ports, not sure)

/sbin/modprobe nf_conntrack_sip ports=5060,4060  
sip_direct_signalling=0 sip_direct_media=0
/sbin/modprobe nf_nat_sip

# Remove all rules and chains (this step is not necessary, it was for my
# personal configuration):
iptables -F
iptables -X

# Forward: Again, if your dest. udp port is 5060 you only need the first two
# rules.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -p udp --dport 4060 -j ACCEPT

# Finally masquerade:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.xx.xx.xx

# End message:
echo " [End iptables rules setting]"

This is all. I hope it will help.
Also I want again to thank François for all his support.

Regards,
Rebeca Martinez

Re: SIP vs NAT, the configuration

[Lorenzo Allegrucci]

rebeca.martinez-garcia@estudiant.upc.edu wrote:
> 
> Hi all,
> 
> I have finally managed to configure my iptables so SIP clients under NAT 
> can make calls outside and clients outside can call clients in the LAN.
> The aim of this email is to post my configuration as a help for those 
> trying to configure iptables in the same way.
> 
> Firstly, it is necessary to be sure that you have kernel support for 
> modules nf_conntrack_sip and nf_nat_sip:
> 
> cng@cng:/etc/ser$ modprobe -l | grep sip
> kernel/net/netfilter/nf_conntrack_sip.ko
> kernel/net/ipv4/netfilter/nf_nat_sip.ko
> 
> If you do not have them, then you will need to build the kernel with 
> support for them (but my kernel is 2.6.31 and they are by default).
> 
> So next step is to configure the iptables script. I have made comments 
> so everybody can understand:
> 
> # Load modules:
> /sbin/modprobe ip_tables
> /sbin/modprobe iptable_nat
> /sbin/modprobe iptable_filter
> /sbin/modprobe nf_conntrack
> /sbin/modprobe nf_nat
> 
> # To load nf_conntrack_sip and nf_nat_sip is important to respect the 
> order:
> # first nf_conntrack_sip and then nf_nat_sip.
> # If your SIP connection is to dest. udp port 5060 then it is not 
> necessary to # add "ports=5060,4060", but if you have the problem that 
> is to another portm tring 
> # that the SIP connection is to be done, then the structure is 
> "ports=5060,xxx
> # were xxx is your port. (I think you can add up to 8 ports, not sure)
> 
> /sbin/modprobe nf_conntrack_sip ports=5060,4060 sip_direct_signalling=0 
> sip_direct_media=0
> /sbin/modprobe nf_nat_sip

Hi,

can you match all voip (SIP+RTP) traffic with the above commands?

I'm trying to setup some QoS rules to match voip traffic by nf_conntrack_sip,
but I can't find a way to match all traffic, I can match just a small fraction of it.
(no NAT, tried all combinations of sip_direct_signalling and sip_direct_media)

Re: SIP vs NAT, the configuration

[Lorenzo Allegrucci]

François Legal wrote:
 > I guess yes, but most of the packets will go through the RELATED match,
 > and depending on your setup, a lot of packets not related at all to
 > SIP/VOIP could go through that match.

my setup:

no NAT, static routing, my soft-phones can call each other without problems.
(I configured a local asterisk server just for this test)

on my router (debian lenny):
nf_conntrack_sip ports=5060 sip_direct_signalling=1 sip_direct_media=1
iptables -t mangle -A FORWARD -m helper --helper sip -j CLASSIFY --set-class 1:100

iptables -L -n -t mangle -v -x does not match all voip traffic, just some random packets.
Can anyone reproduce this?

Re: SIP vs NAT, the configuration

[Lorenzo Allegrucci]

François Legal wrote:
> Could you log the packets that match instead of marking, then send the log
> to the list ?

Hi François,

I just managed to solve it by setting "directmedia=update" on my asterisk configuration.
If directmedia=yes RTP traffic is between the two clients, with directmedia=update
almost all RTP traffic is via asterisk and in this way the nf_conntrack_sip module can match it.
The sip_direct_media=[0|1] parameter of nf_conntrack_sip had no influence on my test.