Iptables and voip (sip) traffic

Iptables and voip (sip) traffic

[Indrek Paas]

Hi,

I have searched information about iptables and Sip protocol used for
Voip calls. I remember that this particular protocol had problems
passing firewalls which were configured to use NAT. I have found small
articles and posts with suggestions to rules but these have not been
helpful and I am at a loss. The basic idea is this.

Internet -- Linux firewall -- lan -- "Voip adapter" also "eth0 - ext"
and "eth1 - int"

Voip adapter has static ip address and I used these rules to forward
the traffic to port 5060. And for some reason calls are either silent
or the phone cannot be reached.

IPTABLES -t nat -A PREROUTING  -p tcp -m tcp   -d "ext.ip.addr"
--dport 5060 -j DNAT --to-destination "Voip_adapter_int_ip":5060
IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp   -d
"Voip_adapter_int_ip" --dport 5060 -j SNAT --to-source "ext.ip.addr"

IPTABLES -N RULE_SIP5060
IPTABLES -A OUTPUT -p tcp -m tcp -d "Voip_adapter_int_ip" --dport 5060
 -m state --state ESTABLISHED,RELATED  -j RULE_SIP5060
IPTABLES -A OUTPUT -p udp -m udp -d "Voip_adapter_int_ip" --dport 5060
 -m state --state ESTABLISHED,RELATED  -j RULE_SIP5060
IPTABLES -A FORWARD -p tcp -m tcp -d "Voip_adapter_int_ip"  --dport
5060  -m state --state ESTABLISHED,RELATED  -j RULE_SIP5060
IPTABLES -A FORWARD -p udp -m udp -d "Voip_adapter_int_ip"  --dport
5060  -m state --state ESTABLISHED,RELATED  -j RULE_SIP5060
IPTABLES -A RULE_SIP5060 -j LOG  --log-level 4 --log-prefix "RULE
SIP5060 -- ACCEPT "
IPTABLES -A RULE_SIP5060  -j ACCEPT

Also have tried these rules which can be found on various sites.

IPTABLES -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source "ext.ip.addr"

And voip service provider claims that the Linux router should be
switched to their Thompson device. Because iptables "interferes with
their service". So any help and information is greatly appreciated.

Sincerely,

Indrek Paas

Re: Iptables and voip (sip) traffic

[whiplash]

Indrek Paas ha scritto:
> Hi,
> 
> I have searched information about iptables and Sip protocol used for
> Voip calls. I remember that this particular protocol had problems
> passing firewalls which were configured to use NAT. 
[...]
> And voip service provider claims that the Linux router should be
> switched to their Thompson device. Because iptables "interferes with
> their service". So any help and information is greatly appreciated.

Linux kernel already has two modules for handling natting and conntracking
of SIP protocol, nf_nat_sip and nf_conntrack_sip; your VoIP service
provider is trying to sell you something you don't really need, possibly.

HTH.

Re: Iptables and voip (sip) traffic

[Indrek Paas]

On Sat, Apr 10, 2010 at 9:01 PM, whiplash <whiplash@bofhland.org> wrote:
> Indrek Paas ha scritto:
>> Hi,
>>
>> I have searched information about iptables and Sip protocol used for
>> Voip calls. I remember that this particular protocol had problems
>> passing firewalls which were configured to use NAT.
> [...]
>> And voip service provider claims that the Linux router should be
>> switched to their Thompson device. Because iptables "interferes with
>> their service". So any help and information is greatly appreciated.
>
> Linux kernel already has two modules for handling natting and conntracking
> of SIP protocol, nf_nat_sip and nf_conntrack_sip; your VoIP service
> provider is trying to sell you something you don't really need, possibly.
>
> HTH.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

So there is no need for special Iptables rules to manage sip protocol?
Other than allowing the traffic for port 5060? If this is true then I can ask
the provider to look over the settings for voip account.


Indrek P.