Iptables breaks a working VoIP phone?
kenneth at mail1.ttak.org
Sun Oct 28 13:26:08 MDT 2007
I made a switch in my firewall device, and now my Broadvoice VoIP
connection is having some issues.
A little history...
Up till today I have been using a Sipura SPA-2100 VoIP ATA device with
BroadVoice, with no problems. I have been using a Linksys WRT54G
Wireless-G Broadband Router. I did not have ANY special settings (no
port forwarding, or port triggering) configured in the Linksys router to
have my VoIP connection work. It just worked.
Today I decided I wanted to setup a Linux firewall box using iptables
(shorewall frontend) to replace the Linksys router. I use a similar
Linux firewall setup at work with no problems.
I know the first point that will be made is the cause of the problem is
the NAT. Well of course it is, but how come the NAT configuration with
the Linksys router worked, and the Linux firewall doesn't?
1. As it initially stood, I can make a call inbound or outbound to my
cell phone, and either phone rings.
2. If I dial out from my home phone to my cell phone I can hear audio
from my cell phone on the home phone speaker, but not the other way.
3. If I dial in from my cell phone, I cannot hear audio from either
As I mentioned I am fronting iptables with shorewall (to make the
configuration easier). I attempted to add the following rules to see if
that would improve the situation, as I saw this mentioned on some
article found by google:
# Allow IAX2, SIP and RTP To Firewall
DNAT net lan:10.10.10.225 udp
This did not help or change the symptoms described above. I also tried
# FORWARD **ALL** TRAFFIC
DNAT net lan:10.10.10.225 udp 0:65535
DNAT net lan:10.10.10.225 tcp 0:65535
But the same symptoms continued.
On a side note, SSH, HTTP, HTTPS, POP, SMTP, ETC... all forward to their
respective servers fine with their respective ports forwarded. The only
service I am struggling is the one I had zero configuration with before.
I don't know if this will help with my question, but I do have "sip"
connection tracking modules loaded. I didn't load them manually, so
either they came with the CentOS 5 install, or loaded with the shorewall
[root at fw shorewall]# lsmod | grep sip
ip_nat_sip 8129 0
ip_conntrack_sip 11313 1 ip_nat_sip
ip_nat 20973 12
ip_conntrack 53153 24
Thanks in advance,
More information about the PLUG