SIP 5060 traffic

Linux Netfilter discussions
 help / color / mirror / Atom feed

* SIP 5060 traffic
@ 2011-05-31  9:17 cc
  2011-05-31 14:55 ` Usuário do Sistema
  2011-05-31 15:39 ` Erik Schorr
  0 siblings, 2 replies; 3+ messages in thread
From: cc @ 2011-05-31  9:17 UTC (permalink / raw)
  To: netfilter

Hi,

I have a LAN NET  and a DMZ NET.  I have a SIP phone within the LAN
trying to connect to a proxy at an external site, say A.

Can someone point out if I'm missing anything?  

Rules:

$IPT -A FORWARD -o $INET_ETH -p udp --dport 5060 -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INET_ETH -p udp --dport 5060 \
             -j SNAT --to-source $INET_IP

When I do a tcpdump, I can see traffic from the LAN go through my
bastion Firewall that routes to my external-facing firewall.
But there is no traffic coming back from the outside.

17:05:19.831000 IP (tos 0x0, ttl 127, id 1595, offset 0, flags [none], proto:
UDP (17), length: 367) LAN_IP.5060 > A_SITE.5060: SIP, length: 339

There's no corresponding entry that has traffic going the other way: 
i.e.:

IP (tos 0x0, ttl 127, id 1595, offset 0, flags [none], proto: UDP (17),
length: 367) A_SITE.5060 > LAN_IP.5060: SIP, length: 339

I'm a bit confused.  Any clarifications appreciated.

Thanks

Ed

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: SIP 5060 traffic
  2011-05-31  9:17 SIP 5060 traffic cc
@ 2011-05-31 14:55 ` Usuário do Sistema
  2011-05-31 15:39 ` Erik Schorr
  1 sibling, 0 replies; 3+ messages in thread
From: Usuário do Sistema @ 2011-05-31 14:55 UTC (permalink / raw)
  To: cc; +Cc: netfilter

I think you have talk with other side ( support at the SIP Server
issue ). you can ask about the packages arriving on SIP server.

you can look in log too to more details about packages drops.


as it's UDP connection try:

$IPT -A FORWARD -i $INET_ETH -p udp --sport 5060 -j ACCEPT



good luck










2011/5/31 cc <cc@kdtc.net>:
> Hi,
>
> I have a LAN NET  and a DMZ NET.  I have a SIP phone within the LAN
> trying to connect to a proxy at an external site, say A.
>
> Can someone point out if I'm missing anything?
>
> Rules:
>
> $IPT -A FORWARD -o $INET_ETH -p udp --dport 5060 -j ACCEPT
> $IPT -t nat -A POSTROUTING -o $INET_ETH -p udp --dport 5060 \
>             -j SNAT --to-source $INET_IP
>
> When I do a tcpdump, I can see traffic from the LAN go through my
> bastion Firewall that routes to my external-facing firewall.
> But there is no traffic coming back from the outside.
>
> 17:05:19.831000 IP (tos 0x0, ttl 127, id 1595, offset 0, flags [none], proto:
> UDP (17), length: 367) LAN_IP.5060 > A_SITE.5060: SIP, length: 339
>
> There's no corresponding entry that has traffic going the other way:
> i.e.:
>
> IP (tos 0x0, ttl 127, id 1595, offset 0, flags [none], proto: UDP (17),
> length: 367) A_SITE.5060 > LAN_IP.5060: SIP, length: 339
>
> I'm a bit confused.  Any clarifications appreciated.
>
> Thanks
>
> Ed
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: SIP 5060 traffic
  2011-05-31  9:17 SIP 5060 traffic cc
  2011-05-31 14:55 ` Usuário do Sistema
@ 2011-05-31 15:39 ` Erik Schorr
  1 sibling, 0 replies; 3+ messages in thread
From: Erik Schorr @ 2011-05-31 15:39 UTC (permalink / raw)
  To: cc; +Cc: netfilter

For proper nat of SIP/RTP traffic, you'll probably need to load the 
ip_conntrack_sip (now nf_conntrack_sip) and ip_nat_sip (nf_nat_sip) 
modules, as well as have the following rules at the top of your INPUT 
and FORWARD chains to permit all traffic related to tracked SIP sessions:

$ipt -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ipt -I FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

The SIP conntrack module will track sessions on 5060/udp and enable 
related return and RTP traffic through the firewall.  the SIP nat module 
should properly translate the addresses/ports in the SIP headers as they 
traverse the firewall, based on how the packets get forwarded.

On 05/31/2011 02:17 AM, cc wrote:
> Hi,
>
> I have a LAN NET  and a DMZ NET.  I have a SIP phone within the LAN
> trying to connect to a proxy at an external site, say A.
>
> Can someone point out if I'm missing anything?
>
> Rules:
>
> $IPT -A FORWARD -o $INET_ETH -p udp --dport 5060 -j ACCEPT
> $IPT -t nat -A POSTROUTING -o $INET_ETH -p udp --dport 5060 \
>               -j SNAT --to-source $INET_IP
>
> When I do a tcpdump, I can see traffic from the LAN go through my
> bastion Firewall that routes to my external-facing firewall.
> But there is no traffic coming back from the outside.
>
> 17:05:19.831000 IP (tos 0x0, ttl 127, id 1595, offset 0, flags [none], proto:
> UDP (17), length: 367) LAN_IP.5060>  A_SITE.5060: SIP, length: 339
>
> There's no corresponding entry that has traffic going the other way:
> i.e.:
>
> IP (tos 0x0, ttl 127, id 1595, offset 0, flags [none], proto: UDP (17),
> length: 367) A_SITE.5060>  LAN_IP.5060: SIP, length: 339
>
> I'm a bit confused.  Any clarifications appreciated.
>
> Thanks
>
> Ed
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Erik Schorr KD6AUT
Advocate and Consultant
VMware/Iptables/Exim/Perl

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-05-31 15:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-05-31  9:17 SIP 5060 traffic cc
2011-05-31 14:55 ` Usuário do Sistema
2011-05-31 15:39 ` Erik Schorr

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox