On Wednesday 2012-11-14 03:35, Jörn Krebs wrote:
>>># Now we try to connect to the VoIP Server source port 44608 and 57890
>>>[NEW] udp 17 60 src=122.XX.115.203 dst=114.XX.234.123
>>> sport=10020 dport=44608 [UNREPLIED]
>>> src=114.XX.234.123 dst=122.XX.115.203
>>> sport=44608 dport=10020
>>
>> Host 122 contacts 114:44608, and there is no mapping done on
>> this CT. Therefore,
>> <122.XX.115.203:10020 -- 114.XX.234.123:44608> is now in use.
>>
>>>[NEW] udp 17 60 src=192.168.1.38 dst=122.XX.115.203
>>> sport=44608 dport=10020 [UNREPLIED]
>>> src=122.XX.115.203 dst=114.XX.234.123
>>> sport=10020 dport=1030
>>
>> <192.168.1.38:44608 -- 122.XX.115.203:10020> would normally be mapped
>> to <114.XX.234.123:44608 -- 122.XX.115.203:10020> because of your
>> MASQUERADE rule. However, <114:44608 -- 122:10020>
>> is already taken (see above).
>
>Why is there only one port mapping?
# <-> both ways
First, you only used one MASQUERADE rule, which says to establish a
mapping 192.168.1.38:P <-> 114.XX.234.123:Q, if and only if,
192.168.0.0/16 is the src address on the initiating packet. This is
not the case for that <122.XX.115.203:10020->114.XX.234.123:44608>
packet of yours.
In weird Wikipedia terms, nf_nat implements "Cone NAT" exclusively.
There are two ways here.
1.
`modprobe nf_nat_sip` and see if that yields the desired result.
If not,
2.
To get the "1:1 NAT", you will need to add a "second" cone in the
other direction, so to speak. This is then something like
iptables -t nat -A PREROUTING -i internet [-d 114.XX.234.123] \
-j DNAT --to 192.168.1.38
As you no doubt will notice, this makes the router as a host
inaccessible on 114.XX.234.123, but that's what 1:1 means.
HTH.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
