I recently did a set up where I replaced a simple D-link home router that was having trouble processing a T1's worth of bandwidth with a linux machine running iptables. the kernel was 2.6.29-r5 and I chose the SIP connection tracking modules from the menuconfig. Router worked fine for normal traffic, but I was unable to get the SIP phones to work. Using ngrep it was plain to see that the although the packets going out were reaching their destination the data inside the sip headers all contained non routable IPs. I used lsmod and saw that the following modules: nf_nat_sip 5084 0 nf_nat 16400 3 nf_nat_sip,ipt_MASQUERADE,iptable_nat nf_conntrack_ipv4 11912 3 iptable_nat,nf_nat nf_defrag_ipv4 1788 1 nf_conntrack_ipv4 were loaded. I also googled and found the http://www.iptel.org/ sipalg/ website, but since this seemed to be a little dated I assumed the modules contained in the kernel source tree were newer and more "reliable" my questions are: What is the correct way(or resource to find a way) to get a linux firewall to work with SIP so that the NAT issue is not an issue ?
On Mon, 2009-08-03 at 13:29 -0400, Ketema Harris wrote:> I recently did a set up where I replaced a simple D-link home router > that was having trouble processing a T1's worth of bandwidth with a > linux machine running iptables. the kernel was 2.6.29-r5 and I chose > the SIP connection tracking modules from the menuconfig. > > Router worked fine for normal traffic, but I was unable to get the SIP > phones to work. Using ngrep it was plain to see that the although the > packets going out were reaching their destination the data inside the > sip headers all contained non routable IPs. I used lsmod and saw that > the following modules: > > nf_nat_sip 5084 0 > nf_nat 16400 3 nf_nat_sip,ipt_MASQUERADE,iptable_nat > nf_conntrack_ipv4 11912 3 iptable_nat,nf_nat > nf_defrag_ipv4 1788 1 nf_conntrack_ipv4 > > were loaded. I also googled and found the http://www.iptel.org/ > sipalg/ website, but since this seemed to be a little dated I assumed > the modules contained in the kernel source tree were newer and more > "reliable" > > my questions are: What is the correct way(or resource to find a way) > to get a linux firewall to work with SIP so that the NAT issue is not > an issue ?<snip> Not an area of great expertise for me. I would think nf_nat_sip would take care of it but I'm surprised to not see conntrack_sip. Here is what is running on our firewall (not that we do a lot with NAT'd sip but the little we've done seems to work): [root at fw01 ~]# lsmod | grep sip ip_nat_sip 37313 0 ip_conntrack_sip 41745 1 ip_nat_sip ip_nat 52845 5 ip_nat_h323,ip_nat_irc,ip_nat_ftp,ip_nat_sip,iptable_nat ip_conntrack 91237 13 ip_nat_h323,ip_nat_irc,ip_nat_ftp,ip_nat_sip,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_sip,ip_conntrack_netbios_ns,xt_state,iptable_nat,ip_nat -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
On Mon, 3 Aug 2009, Ketema Harris wrote:> my questions are: What is the correct way(or resource to find a way) > to get a linux firewall to work with SIP so that the NAT issue is not > an issue ?Remove all SIP ALG/connection tracking modules and use old fashioned port forwarding on the router and externip=xx.yy.z.qq, localnet= and nat=yes in sip.conf in the asterisk box. That's what I do, anyway. Gordon
Tarek Sawah
2009-Aug-04 11:22 UTC
[asterisk-users] Asterisk & Vyatta routers solving NAT problems
Greetings again list i've seen plenty of posts talking about Asterisk behind nat .. and i was wondering.. have you ever thought of using Vyatta? i've been using it for more than two years.. and i'm sure it's a great addition to the open source community .. i DID install Asterisk behind vyatta and configured the nat .. system up and running smoothly .. if anyone else have tried it please let me know if any problems have been faced Regards -- AHD Tarek Sawah Integrated Digital Systems CCNA, MCSE, RHCE, VoIP Syria: +963 944 618286 USA: +1 347 562 2308 _________________________________________________________________ Get free photo software from Windows Live http://www.windowslive.com/online/photos?ocid=PID23393::T:WLMTAGL:ON:WL:en-US:SI_PH_software:082009 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20090804/ee8b6545/attachment.htm