Iptables breaks a working VoIP phone?

Michael L Torrie torriem at chem.byu.edu
Sun Oct 28 23:09:47 MDT 2007

Kenneth Burgener wrote:
> 1. The Linksys does some sort of "special" NAT.  The shorewall
> configuration has both options for "NAT" and "masquerading", and I am
> using the "masquerading" option.  I assume this is just a 1 to many NAT,
> where the "NAT" option is a 1 to 1 translation of NAT.  I assume since I
> only have one IP address, that the Linksys would be doing the
> "masquerading" NAT that I have shorewall configured for.

NAT could be 1 to 1, but not necessarily.  Additionally there is SNAT
and DNAT, which effect the translation very differently.

Linksys (the linux-based WRT anyway) is doing standard iptables MASQ
translating.  A better and faster way is to use SNAT translating, where
outgoing packets are translated to appear as if they are coming from the
router.  This is almost the same effect as MASQ, except that when your
IP addresses changes, you have to rewrite the rule.  Connection tracking
will make sure packages get back through  just fine.

> 2. Connection tracking.  I know with FTP you had to have a special
> connection tracking module, which is why I brought up that I had the
> sip-tracking module loaded.  I am wondering if it is not working right,
> but I am not sure there are any configuration options, or even if I have
> iptables/shorewall setup correctly to indicate this is SIP traffic.

There is no configuration needed to make conntracking work. Just load
the modules.  I load all the modules I think I might need including ftp,

> Thoughts?

I recommend highly that you ditch shorewall and write your own iptables
script by hand.  You'll get very fine-grained control and learn a lot in
the process.

Something else to consider is that you need to make sure the FORWARD
table is handling packets properly.  As packets are translated to and
fro, they pass across the FORWARD chain.  Sometimes errant rules there
might be killing them.

> Thanks,
> Kenneth
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */

More information about the PLUG mailing list