NAT appears to be unaware of ports in use on router

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have asterisk running SIP on a router using UDP port 5060 that's
also handling NAT for a network. I'm often doing testing behind NAT
with other SIP devices using UDP port 5060 talking to the internet,
and have run into a problem where NAT is able to claim 5060. I have
witnessed this occurring both when the asterisk service is stopped
(the obvious case), but I have also run into it when asterisk was up
and running fine.

When this occurs, either the device under test works, or the asterisk
service continues to operate but the NAT mapping for the device under
test ends up sending return traffic to the asterisk service.

Are there some extra options I should be enabling so that iptables is
aware of services running on the system which use ports > 1024? Or
some way to inform iptables of port ranges to not allocate from so
that it does not interfere?

Here is my existing configuration:

iptables v1.4.7
eth0 - internet
br0 - internal network

*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:FORWARD DROP
:INPUT DROP
:OUTPUT ACCEPT
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i eth0 -p udp --dport sip -j ACCEPT
-A INPUT -i eth0 -p udp --dport 10000:20000 -j ACCEPT
-A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
COMMIT

Cheers,
spd
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux