Iptables breaks a working VoIP phone?

Michael L Torrie torriem at chem.byu.edu
Tue Oct 30 10:02:08 MDT 2007

Kenneth Burgener wrote:
> Shane Hathaway wrote:
>> iptables -t nat -A POSTROUTING -s -d '!' -j
> I have configured the machine to use masquerading, since the comcast IP
> address is dynamic, and all of my internal machines can access the
> Internet, so I think I am good on this step.

SNAT is still probably best for you.  Comcast's IP addresses rarely
change unless you reboot, so a simple script to set the SNAT line with
your current IP address is going to work just fine.  I have my firewall
using SNAT on comcast and haven't had problems in years, other than
Comcast deciding that I don't really need to go to Google.

>> Once you've done that, machines on your LAN should be able to contact
>> the Internet through your firewall.  At the same time, assuming you have
>> no other rules, no Internet machine should have the ability to initiate
>> a connection with a machine in your LAN (unless someone at your ISP
>> spoofs a 10.10.10.x destination address).
> Check.
>> 2. If you can not reconfigure your SIP ATA, the ATA is probably
>> registering with your upstream provider using an internal IP address
>> rather than the external IP address.  You need the conntrack_sip module
>> to make your router edit the SIP stream.
> lsmod shows a "conntrack_sip" loaded, so I assume it somehow magically
> detects SIP traffic, or is there something more I need for the
> configuration?
>> 3. You should only use DNAT rules if you want to run Internet servers.
>> If you have a web server at address, the DNAT rule might look
>> like:
> Check.
>> iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --destination-port 80 -j
>> DNAT --to-destination
>> DNAT is appropriate for running an Asterisk server, but is not normally
>> required for a SIP phone.
>> Shane
> This is basically the thought process I have gone through trying to
> figure out why this setup is not working, which is why I am frustrated
> that it is not working, as everything appears to be configured as needed.
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */

Michael Torrie
Assistant CSR, System Administrator
Chemistry and Biochemistry Department
Brigham Young University
Provo, UT 84602

More information about the PLUG mailing list