Iptables breaks a working VoIP phone?

Hans Fugal hans at fugal.net
Sun Oct 28 17:16:04 MDT 2007

On Sat, 27 Oct 2007 at 15:18 -0600, Kenneth Burgener wrote:
> As I mentioned I am fronting iptables with shorewall (to make the
> configuration easier).  

There's your first mistake. I'm in the minority I think, but IMHO
shorewall and friends are more trouble than they're worth. This problem
serves as a case in point.

I know iptables well enough to build a firewall from scratch, including
NAT (at least I used to), but I could never figure out shorewall. The
one thing I did figure out was that I was sure glad I had never used it

> I know the first point that will be made is the cause of the problem is
> the NAT.  Well of course it is, but how come the NAT configuration with
> the Linksys router worked, and the Linux firewall doesn't?

That all depends on why it doesn't work with shorewall. I
suspect the answer will be either because now you're blocking something
that wasn't being blocked by the Linksys, or the new one doesn't have
some enabling passthrough kind of feature that the old one did.

> 2. If I dial out from my home phone to my cell phone I can hear audio
> from my cell phone on the home phone speaker, but not the other way.

Can you determine whether the session tears down properly when you hang
up the cell phone? I'm not sure if there's a way to glean this
information from the handset or the sipura, but if nothing else you
could watch the packets with wireshark. If the teardown is working fine,
then you have a clear pathway both ways for SIP, but RTP going out is
being blocked. It's hard to tell for sure, it takes methodical and
logical debugging and a knowledge of how SIP and RTP work. I encourage
you to resist the urge to stab in the dark here! I've been there, I

> I attempted to add the following rules to see if
> that would improve the situation, as I saw this mentioned on some
> article found by google:

Do you know what these are doing? It's not obvious to me (one of the
reasons I don't like shorewall), and I don't want to kill any brain
cells trying to figure it out.

Did the way things are NAT'ed change at all, at a high level? (Obviously
they changed at the low level) Another thing to look at is the NAT
settings on the Sipura. Is it using STUN? Is that what's breaking now?

Hans Fugal ; http://hans.fugal.net
There's nothing remarkable about it. All one has to do is hit the 
right keys at the right time and the instrument plays itself.
    -- Johann Sebastian Bach

More information about the PLUG mailing list