From: Eliezer Croitoru <eliezer@ngtech.co.il>
To: Jan Engelhardt <jengelh@inai.de>
Cc: "Jörn Krebs" <jk@smartbyte.de>, netfilter <netfilter@vger.kernel.org>
Subject: Re: VoIP conntrack issue
Date: Wed, 14 Nov 2012 17:38:50 +0200 [thread overview]
Message-ID: <50A3BB0A.9070301@ngtech.co.il> (raw)
In-Reply-To: <alpine.LNX.2.01.1211141055040.4653@nerf07.vanv.qr>
Or instead just use DNAT with specific ports that will allow any other
traffic from this host to others based on basic NAT what called
"port-forwarding"
Regards,
Eliezer
On 11/14/2012 1:23 PM, Jan Engelhardt wrote:
> # <-> both ways
>
> First, you only used one MASQUERADE rule, which says to establish a
> mapping 192.168.1.38:P <-> 114.XX.234.123:Q, if and only if,
> 192.168.0.0/16 is the src address on the initiating packet. This is
> not the case for that <122.XX.115.203:10020->114.XX.234.123:44608>
> packet of yours.
> In weird Wikipedia terms, nf_nat implements "Cone NAT" exclusively.
>
> There are two ways here.
>
> 1.
> `modprobe nf_nat_sip` and see if that yields the desired result.
>
>
> If not,
>
> 2.
> To get the "1:1 NAT", you will need to add a "second" cone in the
> other direction, so to speak. This is then something like
>
> iptables -t nat -A PREROUTING -i internet [-d 114.XX.234.123] \
> -j DNAT --to 192.168.1.38
>
> As you no doubt will notice, this makes the router as a host
> inaccessible on 114.XX.234.123, but that's what 1:1 means.
>
> HTH.
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
next prev parent reply other threads:[~2012-11-14 15:38 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-13 2:49 VoIP conntrack issue Jörn Krebs
2012-11-13 3:02 ` Neal Murphy
2012-11-13 3:20 ` Jörn Krebs
2012-11-13 9:32 ` Eliezer Croitoru
2012-11-13 11:42 ` Jörn Krebs
2012-11-13 15:13 ` /dev/rob0
2012-11-13 20:09 ` Eliezer Croitoru
[not found] ` <CABY2qi8w6eDME-OUYM_5Y8Pk63TxBudoHkC54EdzHtuEwQGjZQ@mail.gmail.com>
2012-11-13 22:51 ` Fwd: " Jörn Krebs
2012-11-14 1:09 ` Eliezer Croitoru
[not found] ` <CABY2qi_SsfZWzD5=ycNoSVGCCP5YqWro23rJe9THTrLpeEXmww@mail.gmail.com>
[not found] ` <50A2EF09.5030002@ngtech.co.il>
2012-11-14 1:31 ` Jörn Krebs
2012-11-14 1:43 ` Eliezer Croitoru
2012-11-14 1:47 ` Jan Engelhardt
2012-11-14 2:35 ` Jörn Krebs
2012-11-14 11:23 ` Jan Engelhardt
2012-11-14 15:38 ` Eliezer Croitoru [this message]
2012-11-14 15:54 ` Jan Engelhardt
2012-11-14 16:01 ` Eliezer Croitoru
2012-11-14 21:33 ` Jörn Krebs
-- strict thread matches above, loose matches on Subject: below --
2012-11-14 22:41 Jörn Krebs
2012-11-14 23:38 ` Jan Engelhardt
2012-11-15 0:15 ` Jörn Krebs
2012-11-15 0:40 ` Payam Chychi
2012-11-15 5:04 ` Jan Engelhardt
2012-11-15 5:28 ` Eliezer Croitoru
2012-11-15 7:43 ` Jörn Krebs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A3BB0A.9070301@ngtech.co.il \
--to=eliezer@ngtech.co.il \
--cc=jengelh@inai.de \
--cc=jk@smartbyte.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.