I'll see if I can gather enough smarts together to try what you suggest. I did find a workaround though: If I stay with port 4569 to go from asterisk#1 to asterisk#2 but then use port 4570 to go the reverse direction, it works. The nat rules no longer conflict and cause problems since the port is different. Basically, I think there is a conflict between the prerouting and postrouting nat rules. They seem to be incompatible if the same port number is used to forward in as call out from. Obviously, you should be able to port forward to a host inside a nat'd network (any commercial router I've used can do that) but I just can't do so with iptables. I don't like this because I shouldn't have to do this but I'll go with it for now while I keep researching. On Mon, Apr 27, 2015 at 3:46 AM, Anton Danilov <littlesmilingcloud@xxxxxxxxx> wrote: > > Hello. > Check the full ruleset (iptables-save -c). > If you wont find the issue, use the TRACE target for packets from > internal LAN Asterisk server. > Also, you can ask the help on #netfilter irc-channel at freenode. > > 2015-04-27 8:03 GMT+03:00 Matthew Smith <gizmosmith@xxxxxxxxx>: > > I have a 192.168.1.14 host behind a linux firewall with ip > > 192.168.1.1. The interface of the firewall facing the internet is > > "em1" and the private interface is "p1p1" > > I've enabled "masquerading" via SNAT for the whole 192.168.1/24 subnet > > with the following iptables rules: > > > > -t nat -A POSTROUTING -s 192.168.1/24 -o em1 -j SNAT --to (MY_PUBLIC_IP) > > -A FORWARD -i em1 -o p1p1 -m state --state RELATED,ESTABLISHED -j ACCEPT > > -A FORWARD -i p1p1 -o em1 -j ACCEPT > > > > This works fine as all hosts in the 192.168.1/24 subnet can get out to > > the internet just fine. > > > > I opened a port forward up to an asterisk server inside the subnet to > > allow a remote asterisk server to connect to my asterisk server > > inside: > > > > $IPT -t nat -A PREROUTING -i em1 -s (REMOTE_ASTERISK_SERVER_IP) -d > > (MY_PUBLIC_IP) -p udp --dport 4569 -j DNAT --to-destination > > (PRIVATE_INTERNAL_ASTERISK_IP) > > $IPT -A FORWARD -s (REMOTE_ASTERISK_SERVER_IP) -p udp --dport 4569 -j ACCEPT > > > > So, the remote asterisk server can connect in just fine. Packets > > coming from it to my asterisk server are handled perfectly accoridng > > to tcpdump. The trouble is my internal asterisk server can't get out > > port 4569. If it tries to send a packet to REMOTE_ASTERISK_SERVER_IP > > it gets reflected back from interface p1p1 on the firewall. The > > packet doesn't even make it to em1 of the firewall. > > > > Here's the header of the packet leaving the asterisk server: > > Source: (PRIVATE_INTERNAL_ASTERISK_IP) > > Destination: (REMOTE_ASTERISK_SERVER_IP) > > > > This packet hits p1p1 and is immediately returned back to the internal > > asterisk server with the following header: > > Source: (MY_PUBLIC_IP) > > Destination: (PRIVATE_INTERNAL_ASTERISK_IP) > > > > So, both addresses are changed and the packet never gets past the > > firewall. Any reason why this happens? > > -- > > To unsubscribe from this list: send the line "unsubscribe netfilter" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- > Anton. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
