Hi all,
I think it is better to explain the complete situation.
I have 2 SIP clients in a private LAN that connect to a public
Server/Proxy by means of a gateway. Actually, this Server/Proxy is not
one machine but 4: one of them is a Proxy (the first contact point of
the SIP clients to this "platform") and another one is the Server
where the register and authentication procedures are done.
This means that when a "private" client wants to register in this
"platform", its REGISTER message is directed to the Proxy via the
gateway. To make it simple, let's assume that in the "platform" the
Proxy directly redirects the REGISTER message to the Server (it is in
fact a little more complicated but at the end the message reaches that
Server). However, as there is no authentication information on the
message, it sends back to the client a 401 Unauthorized error.
The client incorporates the authentication information needed to the
REGISTER message and sends it again to the Proxy and now the Server
accepts the registration (it sends a 200 OK). Now this client can call
other users registered in this "platform".
But, as the gateway NATs all incoming messages from the LAN, I faced
problems of one-way audio and non-routing IP addresses. That was
solved by incorporating to the CNG's iptables the nf_conntrack_sip and
nf_nat_sip modules.
If a client wants to call another client (it does not matter if it is
private or public, it redirects the INVITE message to the "platform"
because it knows the callee location). So a call between two private
clients is as I have shown in a previous e-mail (I skip the
communication inside the platform):
Caller -------1.INVITE------> ----------2.INVITE-------->
Gateway (NAT) Proxy
nf_conntrack_sip+nf_nat_sip
Callee <-----4.INVITE------- <---------3.INVITE--------
1: INVITE sip:callee@xxxxxxxxxxxxx
From: sip:caller@xxxxxxxxxxxxx
To: sip:callee@xxxxxxxxxxxxx
Contact: sip:caller@xxxxxxxxxxx:5061
2. INVITE sip:callee@xxxxxxxxxxxxx
From: sip:caller@xxxxxxxxxxxxx
To: sip:callee@xxxxxxxxxxxxx
Contact: sip:caller@xxxxxxxx:5061
3. INVITE sip:callee@xxxxxxxx:5060
From: sip:caller@xxxxxxxxxxxxx
To: sip:callee@xxxxxxxxxxxxx
Contact: sip:caller@xxxxxxxx:5061
4. INVITE sip:callee@xxxxxxxx:5061
From: sip:caller@xxxxxxxxxxxxx
To: sip:callee@xxxxxxxxxxxxx
Contact: sip:caller@xxxxxxxx:5061
And is in the 4.INVITE where I have realised there is a problem: it
does not change the public IP of the callee to the private one,
neither change the Contact IP of the caller.
So when they start to send their RTP streams, they send them to the
public IP of my gateway on the corresponding port. The caller sends
the stream to the 127.1.y.y.5060 and my gateway redirects it to the
192.168.x.x:5060.
So I guess that the gateway has a table in which it indicates for each
private_ip:port the corresponding public_ip:port.
Then, if the gateway has this table (that in fact is like a local
location information), is it possible to configure "something" in
iptables to, knowing that the requested callee is inside the LAN,
route the message directly to it?
I only want to enable internal calls.
I also tried configuring SER but it is very problematic with the
authentication during the register process.
I will appreciate any help and sorry for the long explanation.
Thanks in advance,
Rebeca Martinez
"Patrick McHardy" <kaber@xxxxxxxxx> escribió:
rebeca.martinez-garcia@xxxxxxxxxxxxxxxxx wrote:
Hi all,
I have been working with nf_conntrack_sip and nf_nat_sip for a while to
permit SIP clients in a private LAN can connect to servers outside
without problems.
However, in the case of an internal call, I was wondering if it is
possible that these two modules detect that the incoming INVITE from the
LAN is to another client of the same LAN and so not routing it outside.
Is it possible??
Yes, the module does exactly that when the NAT module is loaded.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html