Iptables breaks a working VoIP phone?

Shane Hathaway shane at hathawaymix.org
Mon Oct 29 11:01:15 MDT 2007


Kenneth Burgener wrote:
> Corey Edwards wrote:
>> At that point, RTP begins to flow between the two IP addresses
>> specified. This is where NAT becomes a problem. If the endpoints aren't
>> aware of NAT (which is its design), they will specify their internal
>> addresses and the return packets will be silently discarded by some
>> router's egress filters. This is one reason why NAT sucks. You can trick
>> it using connection tracking and SIP transformations. Or a tool like
>> STUN to tell the endpoint what its routeable address actually is. Or a
>> proxy which knows how to filter out the RFC1918 addresses and put in the
>> correct values.
> 
> 
> As I have been reading about it, I saw one comment made by someone else
> that seem to indicate that the Linksys is doing some sort of SIP proxy.
>  Is there a Linux SIP proxy that can pick up on SIP traffic and just
> magically do it's stuff, similar to the Linksys?  I have no way of
> configuring the Sipura, so what ever the solution is, it will have to be
> transparent to the Sipura device.  The Sipura is setup to sent all
> traffic to the default gateway, which happens to of course be either the
> Linksys router or the Linux firewall.

Let's discuss how your firewall should be configured in order to behave
like a typical home router.

1.  You need to set up SNAT first, in order to rewrite the source
address of packets on connections initiated by machines in your LAN.  If
you have a dynamic external IP address, you have to use masquerading,
which is a more complicated variation of SNAT.  The iptables command to
set up SNAT, assuming your home LAN is 10.10.10.0/24, might look like:

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -d '!' 10.10.10.0/24 -j
SNAT --to-source x.x.x.x

... where 'x.x.x.x' is your static IP address.  If you have a dynamic
external IP address, do this instead:

iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -d '!' 10.10.10.0/24 -j
MASQUERADE

Once you've done that, machines on your LAN should be able to contact
the Internet through your firewall.  At the same time, assuming you have
no other rules, no Internet machine should have the ability to initiate
a connection with a machine in your LAN (unless someone at your ISP
spoofs a 10.10.10.x destination address).

2. If you can not reconfigure your SIP ATA, the ATA is probably
registering with your upstream provider using an internal IP address
rather than the external IP address.  You need the conntrack_sip module
to make your router edit the SIP stream.

3. You should only use DNAT rules if you want to run Internet servers.
If you have a web server at address 10.10.10.2, the DNAT rule might look
like:

iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --destination-port 80 -j
DNAT --to-destination 10.10.10.2

DNAT is appropriate for running an Asterisk server, but is not normally
required for a SIP phone.

Shane



More information about the PLUG mailing list