I have asterisk running SIP on a router using UDP port 5060 that's also handling NAT for a network. I'm often doing testing behind NAT with other SIP devices using UDP port 5060 talking to the internet, and have run into a problem where NAT is able to claim 5060. I have witnessed this occurring both when the asterisk service is stopped (the obvious case), but I have also run into it when asterisk was up and running fine. When this occurs, either the device under test works, or the asterisk service continues to operate but the NAT mapping for the device under test ends up sending return traffic to the asterisk service. Are there some extra options I should be enabling so that iptables is aware of services running on the system which use ports > 1024? Or some way to inform iptables of port ranges to not allocate from so that it does not interfere? Here is my existing configuration: iptables v1.4.7 eth0 - internet br0 - internal network *nat -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :FORWARD DROP :INPUT DROP :OUTPUT ACCEPT -A INPUT ! -i eth0 -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p gre -j ACCEPT -A INPUT -i eth0 -p udp --dport sip -j ACCEPT -A INPUT -i eth0 -p udp --dport 10000:20000 -j ACCEPT -A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset -A INPUT -i eth0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i br0 -j ACCEPT COMMIT Cheers, spd -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
