From: Indrek Paas <indrekpaas@gmail.com>
To: netfilter@vger.kernel.org
Subject: Iptables and voip (sip) traffic
Date: Fri, 9 Apr 2010 16:53:05 +0300 [thread overview]
Message-ID: <o2m596a60ad1004090653r8d00d435wfa96256b847dece8@mail.gmail.com> (raw)
Hi,
I have searched information about iptables and Sip protocol used for
Voip calls. I remember that this particular protocol had problems
passing firewalls which were configured to use NAT. I have found small
articles and posts with suggestions to rules but these have not been
helpful and I am at a loss. The basic idea is this.
Internet -- Linux firewall -- lan -- "Voip adapter" also "eth0 - ext"
and "eth1 - int"
Voip adapter has static ip address and I used these rules to forward
the traffic to port 5060. And for some reason calls are either silent
or the phone cannot be reached.
IPTABLES -t nat -A PREROUTING -p tcp -m tcp -d "ext.ip.addr"
--dport 5060 -j DNAT --to-destination "Voip_adapter_int_ip":5060
IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp -d
"Voip_adapter_int_ip" --dport 5060 -j SNAT --to-source "ext.ip.addr"
IPTABLES -N RULE_SIP5060
IPTABLES -A OUTPUT -p tcp -m tcp -d "Voip_adapter_int_ip" --dport 5060
-m state --state ESTABLISHED,RELATED -j RULE_SIP5060
IPTABLES -A OUTPUT -p udp -m udp -d "Voip_adapter_int_ip" --dport 5060
-m state --state ESTABLISHED,RELATED -j RULE_SIP5060
IPTABLES -A FORWARD -p tcp -m tcp -d "Voip_adapter_int_ip" --dport
5060 -m state --state ESTABLISHED,RELATED -j RULE_SIP5060
IPTABLES -A FORWARD -p udp -m udp -d "Voip_adapter_int_ip" --dport
5060 -m state --state ESTABLISHED,RELATED -j RULE_SIP5060
IPTABLES -A RULE_SIP5060 -j LOG --log-level 4 --log-prefix "RULE
SIP5060 -- ACCEPT "
IPTABLES -A RULE_SIP5060 -j ACCEPT
Also have tried these rules which can be found on various sites.
IPTABLES -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source "ext.ip.addr"
And voip service provider claims that the Linux router should be
switched to their Thompson device. Because iptables "interferes with
their service". So any help and information is greatly appreciated.
Sincerely,
Indrek Paas
next reply other threads:[~2010-04-09 13:53 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-09 13:53 Indrek Paas [this message]
2010-04-10 18:01 ` Iptables and voip (sip) traffic whiplash
2010-04-11 9:07 ` Indrek Paas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=o2m596a60ad1004090653r8d00d435wfa96256b847dece8@mail.gmail.com \
--to=indrekpaas@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).