SIP vs NAT, the configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi all,

I have finally managed to configure my iptables so SIP clients under NAT can make calls outside and clients outside can call clients in the LAN. The aim of this email is to post my configuration as a help for those trying to configure iptables in the same way.

Firstly, it is necessary to be sure that you have kernel support for modules nf_conntrack_sip and nf_nat_sip:

cng@cng:/etc/ser$ modprobe -l | grep sip
kernel/net/netfilter/nf_conntrack_sip.ko
kernel/net/ipv4/netfilter/nf_nat_sip.ko

If you do not have them, then you will need to build the kernel with support for them (but my kernel is 2.6.31 and they are by default).

So next step is to configure the iptables script. I have made comments so everybody can understand:

# Load modules:
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe nf_conntrack
/sbin/modprobe nf_nat

# To load nf_conntrack_sip and nf_nat_sip is important to respect the order:
# first nf_conntrack_sip and then nf_nat_sip.
# If your SIP connection is to dest. udp port 5060 then it is not necessary to # add "ports=5060,4060", but if you have the problem that is to another port
# that the SIP connection is to be done, then the structure is "ports=5060,xxx
# were xxx is your port. (I think you can add up to 8 ports, not sure)

/sbin/modprobe nf_conntrack_sip ports=5060,4060 sip_direct_signalling=0 sip_direct_media=0
/sbin/modprobe nf_nat_sip

# Remove all rules and chains (this step is not necessary, it was for my
# personal configuration):
iptables -F
iptables -X

# Forward: Again, if your dest. udp port is 5060 you only need the first two
# rules.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -p udp --dport 4060 -j ACCEPT

# Finally masquerade:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.xx.xx.xx

# End message:
echo " [End iptables rules setting]"

This is all. I hope it will help.
Also I want again to thank François for all his support.

Regards,
Rebeca Martinez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux