Hi all,
I have finally managed to configure my iptables so SIP clients under
NAT can make calls outside and clients outside can call clients in the
LAN.
The aim of this email is to post my configuration as a help for those
trying to configure iptables in the same way.
Firstly, it is necessary to be sure that you have kernel support for
modules nf_conntrack_sip and nf_nat_sip:
cng@cng:/etc/ser$ modprobe -l | grep sip
kernel/net/netfilter/nf_conntrack_sip.ko
kernel/net/ipv4/netfilter/nf_nat_sip.ko
If you do not have them, then you will need to build the kernel with
support for them (but my kernel is 2.6.31 and they are by default).
So next step is to configure the iptables script. I have made comments
so everybody can understand:
# Load modules:
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe iptable_filter
/sbin/modprobe nf_conntrack
/sbin/modprobe nf_nat
# To load nf_conntrack_sip and nf_nat_sip is important to respect the order:
# first nf_conntrack_sip and then nf_nat_sip.
# If your SIP connection is to dest. udp port 5060 then it is not
necessary to # add "ports=5060,4060", but if you have the problem that
is to another port
# that the SIP connection is to be done, then the structure is "ports=5060,xxx
# were xxx is your port. (I think you can add up to 8 ports, not sure)
/sbin/modprobe nf_conntrack_sip ports=5060,4060
sip_direct_signalling=0 sip_direct_media=0
/sbin/modprobe nf_nat_sip
# Remove all rules and chains (this step is not necessary, it was for my
# personal configuration):
iptables -F
iptables -X
# Forward: Again, if your dest. udp port is 5060 you only need the first two
# rules.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -p udp --dport 4060 -j ACCEPT
# Finally masquerade:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.xx.xx.xx
# End message:
echo " [End iptables rules setting]"
This is all. I hope it will help.
Also I want again to thank François for all his support.
Regards,
Rebeca Martinez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html