OCG Technical Support
2008-Oct-09 02:44 UTC
[asterisk-users] conntrack_sip, iptables, and asterisk
I have a new Fedora 9 firewall I am setting up in front of an Asterisk 1.4 box. I ported over all of my iptables rules..but now have a strange problem: SOMETIMES, the audio is only 1-way (i.e. and RTP path problem). Can someone offer a tip here? Since I have conntrack_sip loaded on the firewall, do I need to: 1. Use SIP and RTP port forwarding & prerouting to my asterisk box? (SIP clients are outside the LAN) - this is the way I do it now 2. Remove all SIP and RTP port forwarding & prerouting and assume conntrack_sip will do everything? 3. Allow SIP and RTP *INTO* the firewall, to allow conntrack_sip to work? Clearly something has changed with conntrack_sip or iptables in the latest kernel...so I need to figure this out. Help! Thanks! Michelle -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20081008/32a314a2/attachment.htm
Alex Balashov
2008-Oct-09 02:57 UTC
[asterisk-users] conntrack_sip, iptables, and asterisk
The problem is that the Linux SIP ALG is not RTP-aware and doesn't NAT the RTP. If that's changed, it would have to be in the last one or two kernel releases. Your solution is OpenSER (Kamailio/OpenSIPS) + nathelper + mediaproxy or rtpproxy. OCG Technical Support wrote:> I have a new Fedora 9 firewall I am setting up in front of an Asterisk > 1.4 box. I ported over all of my iptables rules..but now have a strange > problem: SOMETIMES, the audio is only 1-way (i.e. and RTP path problem). > > > > Can someone offer a tip here? Since I have conntrack_sip loaded on the > firewall, do I need to: > > > > 1. Use SIP and RTP port forwarding & prerouting to my asterisk > box? (SIP clients are outside the LAN) ? this is the way I do it now > > 2. Remove all SIP and RTP port forwarding & prerouting and assume > conntrack_sip will do everything? > > 3. Allow SIP and RTP **INTO** the firewall, to allow conntrack_sip > to work? > > > > Clearly something has changed with conntrack_sip or iptables in the > latest kernel...so I need to figure this out. Help! > > > > Thanks! > > > > Michelle > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599