Re: NAT appears to be unaware of ports in use on router

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 20 July 2010 18:00, Simon Ditner <sditner@xxxxxxxxx> wrote:
>
> I have asterisk running SIP on a router using UDP port 5060 that's
> also handling NAT for a network. I'm often doing testing behind NAT
> with other SIP devices using UDP port 5060 talking to the internet,
> and have run into a problem where NAT is able to claim 5060. I have
> witnessed this occurring both when the asterisk service is stopped
> (the obvious case), but I have also run into it when asterisk was up
> and running fine.

You can use the --to-ports option to restrict the port range masq uses...

>
>

> *nat
> -A POSTROUTING -o eth0 -j MASQUERADE

-A POSTROUTING -o eth0 -j MASQUERADE --to-ports 6000-50000

The rule above would restrict MASQUERADE to using ports from 6000 to 50000.
(From memory doesn't postrouting and masq need a portocol when used
with ports... inwhich case...

-A POSTROUTING -p udp -o eth0 -j MASQUERADE --to-ports 6000-50000
-A POSTROUTING -p tcp -o eth0 -j MASQUERADE --to-ports 6000-50000
-A POSTROUTING ! -p tcp ! -p udp -o eth0 -j MASQUERADE

Should provide port mapping for the udp and tcp and normal masq for
non-tcp/udp - might need to split the not tcp / udp line into two -
not sure if you can combine two negative matches and currently don't
have a linux box in reach :( )

R.

Note:
Reading some more info on the masq target:-
"It is still possible to use the MASQUERADE target instead of SNAT
even though you do have a static IP, however, it is not favorable
since it will add extra overhead, and there may be inconsistencies in
the future which will thwart your existing scripts and render them
"unusable". "






--
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.pbase.com/arimus - My online photogallery
http://uk.linkedin.com/in/richardhorton1972 - My linkedin profile
http://www.solstans.co.uk/richard - Online CV
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux