Iptables breaks a working VoIP phone?

Kenneth Burgener kenneth at mail1.ttak.org
Sun Oct 28 13:26:08 MDT 2007


I made a switch in my firewall device, and now my Broadvoice VoIP
connection is having some issues.

A little history...

Up till today I have been using a Sipura SPA-2100 VoIP ATA device with
BroadVoice, with no problems.  I have been using a Linksys WRT54G
Wireless-G Broadband Router.  I did not have ANY special settings (no
port forwarding, or port triggering) configured in the Linksys router to
have my VoIP connection work.  It just worked.

Today I decided I wanted to setup a Linux firewall box using iptables
(shorewall frontend) to replace the Linksys router.  I use a similar
Linux firewall setup at work with no problems.

I know the first point that will be made is the cause of the problem is
the NAT.  Well of course it is, but how come the NAT configuration with
the Linksys router worked, and the Linux firewall doesn't?

1. As it initially stood, I can make a call inbound or outbound to my
cell phone, and either phone rings.
2. If I dial out from my home phone to my cell phone I can hear audio
from my cell phone on the home phone speaker, but not the other way.
3. If I dial in from my cell phone, I cannot hear audio from either

As I mentioned I am fronting iptables with shorewall (to make the
configuration easier).  I attempted to add the following rules to see if
that would improve the situation, as I saw this mentioned on some
article found by google:

  # Allow IAX2, SIP and RTP To Firewall
  DNAT           net     lan:        udp

This did not help or change the symptoms described above.  I also tried
these rules:

DNAT            net     lan:        udp     0:65535
DNAT            net     lan:        tcp     0:65535

But the same symptoms continued.

On a side note, SSH, HTTP, HTTPS, POP, SMTP, ETC... all forward to their
respective servers fine with their respective ports forwarded.  The only
service I am struggling is the one I had zero configuration with before.

I don't know if this will help with my question, but I do have "sip"
connection tracking modules loaded.  I didn't load them manually, so
either they came with the CentOS 5 install, or loaded with the shorewall

[root at fw shorewall]# lsmod | grep sip
ip_nat_sip              8129  0
ip_conntrack_sip       11313  1 ip_nat_sip
ip_nat                 20973  12
ip_conntrack           53153  24

Any ideas?

Thanks in advance,

More information about the PLUG mailing list