Iptables and voip (sip) traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I have searched information about iptables and Sip protocol used for
Voip calls. I remember that this particular protocol had problems
passing firewalls which were configured to use NAT. I have found small
articles and posts with suggestions to rules but these have not been
helpful and I am at a loss. The basic idea is this.

Internet -- Linux firewall -- lan -- "Voip adapter" also "eth0 - ext"
and "eth1 - int"

Voip adapter has static ip address and I used these rules to forward
the traffic to port 5060. And for some reason calls are either silent
or the phone cannot be reached.

IPTABLES -t nat -A PREROUTING  -p tcp -m tcp   -d "ext.ip.addr"
--dport 5060 -j DNAT --to-destination "Voip_adapter_int_ip":5060
IPTABLES -t nat -A POSTROUTING -o eth1 -p tcp -m tcp   -d
"Voip_adapter_int_ip" --dport 5060 -j SNAT --to-source "ext.ip.addr"

IPTABLES -N RULE_SIP5060
IPTABLES -A OUTPUT -p tcp -m tcp -d "Voip_adapter_int_ip" --dport 5060
 -m state --state ESTABLISHED,RELATED  -j RULE_SIP5060
IPTABLES -A OUTPUT -p udp -m udp -d "Voip_adapter_int_ip" --dport 5060
 -m state --state ESTABLISHED,RELATED  -j RULE_SIP5060
IPTABLES -A FORWARD -p tcp -m tcp -d "Voip_adapter_int_ip"  --dport
5060  -m state --state ESTABLISHED,RELATED  -j RULE_SIP5060
IPTABLES -A FORWARD -p udp -m udp -d "Voip_adapter_int_ip"  --dport
5060  -m state --state ESTABLISHED,RELATED  -j RULE_SIP5060
IPTABLES -A RULE_SIP5060 -j LOG  --log-level 4 --log-prefix "RULE
SIP5060 -- ACCEPT "
IPTABLES -A RULE_SIP5060  -j ACCEPT

Also have tried these rules which can be found on various sites.

IPTABLES -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source "ext.ip.addr"

And voip service provider claims that the Linux router should be
switched to their Thompson device. Because iptables "interferes with
their service". So any help and information is greatly appreciated.

Sincerely,

Indrek Paas
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux