On Tue, Jun 25, 2013 at 5:52 PM, Bob Reiber <bob@xxxxxxxx> wrote: > You did not define the internal networks properly in the pbx. Asterisk needs to know which nets are internal and which are external. Typically in the sip.conf file you will find the local nets defined. > > Bob Reiber > BK Sales and Service > 3211 Longfellow Dr > Belmont, CA 94002 > Tel: 650 376 1122 > Fax: 650 240 4556 > > -----Original Message----- > From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Rodrigo Stuffs > Sent: Tuesday, June 25, 2013 9:30 AM > To: netfilter@xxxxxxxxxxxxxxx > Subject: nf_nat_sip questions > > Hello List, > > Let a scenario: > > [ Internal network 172.16.9.0/24 eth1 ] ---- <raspberry pi> ---- [ valid internet IP address eth0 ] > > Recently, I got myself adventuring on Asterisk, and in order to address some issues, I found nf_nat_sip. So, my Raspberry Pi is doing the IP masquerading job for my internal network. And then, I installed Asterisk in the Pi, which is bound to both internal and external interfaces. > > Ok, the internal softphones works just nicely. It happens that external phones have 1-way communication (just listens) with internal phones. > > While running a tcpdump, I found that SIP was telling my external phones to send the RTP data to a internal IP address instead. See a dump below: > > --------------------8<------------------- > > INVITE sip:soft-01@179.245.20.148:5060 SIP/2.0 > Via: SIP/2.0/UDP <home valid ip address>:5060;branch=z9hG4bK7a17bb7b;rport > Max-Forwards: 70 > From: <sip:102@<home hostname>>;tag=as1a71f0f6 > To: "soft-01" <sip:soft-01@<home hostname>:5060>;tag=63f8e4a543 > Contact: <sip:102@<home valid ip address>:5060> > Call-ID: cf6587a53b2ef650 > CSeq: 102 INVITE > User-Agent: Asterisk PBX 1.8.13.1~dfsg-3 > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH > Supported: replaces, timer > Content-Type: application/sdp > Content-Length: 265 > > v=0 > o=root 899324373 899324374 IN IP4 172.16.9.5 <------ WRONG! > s=Asterisk PBX 1.8.13.1~dfsg-3 > c=IN IP4 172.16.9.5 <-------- WRONG! > t=0 0 > m=audio 16428 RTP/AVP 0 125 > a=rtpmap:0 PCMU/8000 > a=rtpmap:125 telephone-event/8000 > a=fmtp:125 0-16 > a=silenceSupp:off - - - - > a=ptime:20 > a=sendrecv > > --------------------8<------------------- > > As I highlighted in the dump (seek for WRONG!), SIP is telling my external phone to talk back to a internal phone, so this is why the internal peer doesn't hear back. > > Ok, just prior to send me to whine to asterisk-users list, here comes my NF relevant questions. > > 1. Is just loading the module nf_nat_sip enough, is it active and mangling packets? Or should I tie it to some fancy iptables rule? > http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html is not very clear about it. > > 2. Does nf_nat_sip mangles that IP address, in o= and c= lines? Does it mangle whatever else? > > 3. As I described, the Pi also serves internal network. Is there a risk to nf_nat_sip *also* mangle the *internal - internal* SIP traffic to the server? > > 4. If 2 is true, how can I mitigate it? -j CT --notrack -o <internal if> ? > > Thanks a lot, > > - RF. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html Hi Bob & list; Yes, I configured it: [general] context=default allowguest=no localnet=172.16.9.0/24 externhost=<FQDN> externrefresh=3600 Since here is no asterisk help forum, and going back to nf_nat_sip questions: 1. Is just loading the module nf_nat_sip enough, is it active and mangling packets? Or should I tie it to some fancy iptables rule? http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html is not very clear about it. ==> A: While browsing the list archives, I found that yes, it is enough. Several people asking just the same, and I think Pablo might be fed up of answering it all the time. 2. Does nf_nat_sip mangles that IP address, in o= and c= lines? Does it mangle whatever else? ==> A: ???? 3. As I described, the Pi also serves internal network. Is there a risk to nf_nat_sip *also* mangle the *internal - internal* SIP traffic to the server? ==> A: ????? 4. If 2 is true, how can I mitigate it? -j CT --notrack -o <internal if> ? ==> A: ????? Thanks a lot, - RF. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
