On Saturday 01 of October 2005 22:57, /dev/rob0 wrote:
> On Saturday 2005-October-01 13:03, Marek Zachara wrote:
> > I'm trying to get asterisk IAX protocol to be routed properly. This
> > is UDP packets destined for port 4569. I need them to be sent out
> > from the box at eth1 with source 192.168.100.1 (internal net at eth0
> > is 10.0.0.0/24)
> >
> > the nat/postrouting table looks like this (i waited for about 10
>
> snip
>
> > Any suggestions what i could be doing wrong?
>
> This is asterisk running on the iptables box itself? Try nat/OUTPUT.
>
> I won't guess. Post complete network topology information and your
> iptables-save output. Why do you want to NAT from one RFC 1918 address
> to another one? I bet there is a better way to do this. I don't have
> any trouble with IAX/IAX2 behind NAT.
here is (in short) the topology:
10.0.0.250 (asterisk)
|
10.0.0.1 (eth0)
192.168.100.1-3 (eth1) (router1)
|
192.168.192.1 (eth0)
public.ip (eth1) (router2)
|
internet
now i want packets generated by asterisk (10.0.0.250) and destined to outside
world to leave router1 with source address of 192.168.100.1 as this is needed
to route them properly at router2
unfortunately, the IAX packets leave router1 with source 10.0.0.250 which
makes the response undeliverable (as router2 doesn't know anything about
10.x.x.x network)
here is the tcpdump at router2:
cerber:~# tcpdump -ni eth0 udp port 4569
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:20:31.825854 IP 10.0.0.250.4569 > 84.16.64.240.4569: UDP, length: 12
09:20:33.827356 IP 10.0.0.250.4569 > 84.16.64.240.4569: UDP, length: 12
09:20:33.827450 IP 10.0.0.250.4569 > 84.16.64.240.4569: UDP, length: 25
here is the full ruleset of NAT table at router1. Most of it are not relevant.
However there are two types of UDP packets generated by asterisk: SIP (5060)
and IAX2 (4569). Now, the SIP packets are routed correctly - they hit the
SNAT rule and leave the router1 with source 192.168.100.1 but the IAX packets
somehow manage to 'bypass' the iptables rules and leave unmodified...
irongate:~# iptables -t nat -nL
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 192.168.100.1 tcp dpt:21
to:10.0.0.250
DNAT tcp -- 0.0.0.0/0 192.168.100.1 tcp dpt:22
to:10.0.0.7
DNAT udp -- 0.0.0.0/0 192.168.100.1 udp dpt:5060
to:10.0.0.250
DNAT udp -- 0.0.0.0/0 192.168.100.1 udp dpt:4569
to:10.0.0.250
DNAT tcp -- 0.0.0.0/0 192.168.100.2 tcp
dpts:5000:5999 to:10.0.0.251
DNAT udp -- 0.0.0.0/0 192.168.100.2 udp
dpts:5000:5999 to:10.0.0.251
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
to:192.168.100.1
SNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060
to:192.168.100.1
SNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4569
to:192.168.100.1
SNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3478
to:192.168.100.1
SNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:1024:32000 to:192.168.100.2
SNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:1024:32000 to:192.168.100.2
SNAT all -- 10.0.0.251 0.0.0.0/0 to:192.168.100.2
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:192.168.100.3
thanks for any help ;)
Marek
