Iptables breaks a working VoIP phone?

Michael L Torrie torriem at chem.byu.edu
Tue Oct 30 10:02:08 MDT 2007


Kenneth Burgener wrote:
> Shane Hathaway wrote:
>> iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -d '!' 10.10.10.0/24 -j
>> MASQUERADE
> 
> 
> I have configured the machine to use masquerading, since the comcast IP
> address is dynamic, and all of my internal machines can access the
> Internet, so I think I am good on this step.

SNAT is still probably best for you.  Comcast's IP addresses rarely
change unless you reboot, so a simple script to set the SNAT line with
your current IP address is going to work just fine.  I have my firewall
using SNAT on comcast and haven't had problems in years, other than
Comcast deciding that I don't really need to go to Google.

> 
> 
>> Once you've done that, machines on your LAN should be able to contact
>> the Internet through your firewall.  At the same time, assuming you have
>> no other rules, no Internet machine should have the ability to initiate
>> a connection with a machine in your LAN (unless someone at your ISP
>> spoofs a 10.10.10.x destination address).
> 
> Check.
> 
> 
>> 2. If you can not reconfigure your SIP ATA, the ATA is probably
>> registering with your upstream provider using an internal IP address
>> rather than the external IP address.  You need the conntrack_sip module
>> to make your router edit the SIP stream.
> 
> lsmod shows a "conntrack_sip" loaded, so I assume it somehow magically
> detects SIP traffic, or is there something more I need for the
> configuration?
> 
> 
>> 3. You should only use DNAT rules if you want to run Internet servers.
>> If you have a web server at address 10.10.10.2, the DNAT rule might look
>> like:
> 
> Check.
> 
> 
>> iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --destination-port 80 -j
>> DNAT --to-destination 10.10.10.2
>>
>> DNAT is appropriate for running an Asterisk server, but is not normally
>> required for a SIP phone.
>>
>> Shane
> 
> This is basically the thought process I have gone through trying to
> figure out why this setup is not working, which is why I am frustrated
> that it is not working, as everything appears to be configured as needed.
> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
> 


-- 
Michael Torrie
Assistant CSR, System Administrator
Chemistry and Biochemistry Department
Brigham Young University
Provo, UT 84602
+1.801.422.5771




More information about the PLUG mailing list