On 20 July 2010 18:00, Simon Ditner <sditner@xxxxxxxxx> wrote: > > I have asterisk running SIP on a router using UDP port 5060 that's > also handling NAT for a network. I'm often doing testing behind NAT > with other SIP devices using UDP port 5060 talking to the internet, > and have run into a problem where NAT is able to claim 5060. I have > witnessed this occurring both when the asterisk service is stopped > (the obvious case), but I have also run into it when asterisk was up > and running fine. You can use the --to-ports option to restrict the port range masq uses... > > > *nat > -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE --to-ports 6000-50000 The rule above would restrict MASQUERADE to using ports from 6000 to 50000. (From memory doesn't postrouting and masq need a portocol when used with ports... inwhich case... -A POSTROUTING -p udp -o eth0 -j MASQUERADE --to-ports 6000-50000 -A POSTROUTING -p tcp -o eth0 -j MASQUERADE --to-ports 6000-50000 -A POSTROUTING ! -p tcp ! -p udp -o eth0 -j MASQUERADE Should provide port mapping for the udp and tcp and normal masq for non-tcp/udp - might need to split the not tcp / udp line into two - not sure if you can combine two negative matches and currently don't have a linux box in reach :( ) R. Note: Reading some more info on the masq target:- "It is still possible to use the MASQUERADE target instead of SNAT even though you do have a static IP, however, it is not favorable since it will add extra overhead, and there may be inconsistencies in the future which will thwart your existing scripts and render them "unusable". " -- Richard Horton Users are like a virus: Each causing a thousand tiny crises until the host finally dies. http://www.pbase.com/arimus - My online photogallery http://uk.linkedin.com/in/richardhorton1972 - My linkedin profile http://www.solstans.co.uk/richard - Online CV -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html