From: Eliezer Croitoru <eliezer@ngtech.co.il>
To: Jan Engelhardt <jengelh@inai.de>
Cc: "Jörn Krebs" <jk@smartbyte.de>, netfilter <netfilter@vger.kernel.org>
Subject: Re: VoIP conntrack issue
Date: Wed, 14 Nov 2012 17:38:50 +0200 [thread overview]
Message-ID: <50A3BB0A.9070301@ngtech.co.il> (raw)
In-Reply-To: <alpine.LNX.2.01.1211141055040.4653@nerf07.vanv.qr>
Or instead just use DNAT with specific ports that will allow any other
traffic from this host to others based on basic NAT what called
"port-forwarding"
Regards,
Eliezer
On 11/14/2012 1:23 PM, Jan Engelhardt wrote:
> # <-> both ways
>
> First, you only used one MASQUERADE rule, which says to establish a
> mapping 192.168.1.38:P <-> 114.XX.234.123:Q, if and only if,
> 192.168.0.0/16 is the src address on the initiating packet. This is
> not the case for that <122.XX.115.203:10020->114.XX.234.123:44608>
> packet of yours.
> In weird Wikipedia terms, nf_nat implements "Cone NAT" exclusively.
>
> There are two ways here.
>
> 1.
> `modprobe nf_nat_sip` and see if that yields the desired result.
>
>
> If not,
>
> 2.
> To get the "1:1 NAT", you will need to add a "second" cone in the
> other direction, so to speak. This is then something like
>
> iptables -t nat -A PREROUTING -i internet [-d 114.XX.234.123] \
> -j DNAT --to 192.168.1.38
>
> As you no doubt will notice, this makes the router as a host
> inaccessible on 114.XX.234.123, but that's what 1:1 means.
>
> HTH.
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
next prev parent reply other threads:[~2012-11-14 15:38 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-13 2:49 VoIP conntrack issue Jörn Krebs
2012-11-13 3:02 ` Neal Murphy
2012-11-13 3:20 ` Jörn Krebs
2012-11-13 9:32 ` Eliezer Croitoru
2012-11-13 11:42 ` Jörn Krebs
2012-11-13 15:13 ` /dev/rob0
2012-11-13 20:09 ` Eliezer Croitoru
[not found] ` <CABY2qi8w6eDME-OUYM_5Y8Pk63TxBudoHkC54EdzHtuEwQGjZQ@mail.gmail.com>
2012-11-13 22:51 ` Fwd: " Jörn Krebs
2012-11-14 1:09 ` Eliezer Croitoru
[not found] ` <CABY2qi_SsfZWzD5=ycNoSVGCCP5YqWro23rJe9THTrLpeEXmww@mail.gmail.com>
[not found] ` <50A2EF09.5030002@ngtech.co.il>
2012-11-14 1:31 ` Jörn Krebs
2012-11-14 1:43 ` Eliezer Croitoru
2012-11-14 1:47 ` Jan Engelhardt
2012-11-14 2:35 ` Jörn Krebs
2012-11-14 11:23 ` Jan Engelhardt
2012-11-14 15:38 ` Eliezer Croitoru [this message]
2012-11-14 15:54 ` Jan Engelhardt
2012-11-14 16:01 ` Eliezer Croitoru
2012-11-14 21:33 ` Jörn Krebs
[not found] <CABY2qi8n0ttC99_UktcT+Jwnd9WCCsvk5+ug1GXrrYbd9ixxWw@mail.gmail.com>
[not found] ` <alpine.LNX.2.01.1211150035180.32273@nerf07.vanv.qr>
2012-11-15 0:15 ` Jörn Krebs
2012-11-15 0:40 ` Payam Chychi
2012-11-15 5:04 ` Jan Engelhardt
2012-11-15 5:28 ` Eliezer Croitoru
2012-11-15 7:43 ` Jörn Krebs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50A3BB0A.9070301@ngtech.co.il \
--to=eliezer@ngtech.co.il \
--cc=jengelh@inai.de \
--cc=jk@smartbyte.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox