CentOS - Mar 2007 - PREROUTING - DNAT with iptables for an ASTERISK BOX

Hi,

I am running a ASTERISK BOX behind a firewall. It is at DMZ .

Now I want to connect to my ASTERISK BOX from Internet. So I want to DNAT.
How can I do it?

Pls assume that ip address that connects to Internet on firewall is
1.2.3.4and is attached to eth0.
And ASTERISK BOX is 192.168.101.23

Then, What is the rule (PREROUTING) for it? What is the port to DNAT?

I think udp 5060. So I have added below 2 rules . But it does not work at
all.

iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 --dport 5060 -j DNAT
--to-destination 192.168.101.23:5060
iptables -A FORWARD -p udp -d 192.168.101.23 --dport 5060 -j ACCEPT

Can you help me to solve this issue?


-- 
Thank you
Indunil Jayasooriya
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20070307/abb88e8c/attachment.html>

Indunil Jayasooriya wrote:
> Hi,
> 
> I am running a ASTERISK BOX behind a firewall. It is at DMZ .
> 
> Now I want to connect to my ASTERISK BOX from Internet. So I want to DNAT.
> How can I do it?
> 
> Pls assume that ip address that connects to Internet on firewall is
> 1.2.3.4and is attached to eth0.
> And ASTERISK BOX is 192.168.101.23
> 
> Then, What is the rule (PREROUTING) for it? What is the port to DNAT?
> 
> I think udp 5060. So I have added below 2 rules . But it does not work at
> all.
> 
> iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 --dport 5060 -j 
> DNAT
> --to-destination 192.168.101.23:5060
> iptables -A FORWARD -p udp -d 192.168.101.23 --dport 5060 -j ACCEPT
> 
> Can you help me to solve this issue?
With all the problems you're having with iptables, I really think you 
should skip round the issue and install shorewall.

The docs on the website outline how to set up several more-or-less 
standard scenarious, and most users will find theirs similar to one of 
those.



-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu

Please do not reply off-list

Indunil Jayasooriya wrote:
> Hi,
> 
> I am running a ASTERISK BOX behind a firewall. It is at DMZ .
> 
> Now I want to connect to my ASTERISK BOX from Internet. So I want to DNAT.
> How can I do it?
sip proxy behind nat = major pain in the neck.

Trust me, it will not work. At best, it will work half the time.
> 
> Pls assume that ip address that connects to Internet on firewall is
> 1.2.3.4and is attached to eth0.
> And ASTERISK BOX is 192.168.101.23
> 
> Then, What is the rule (PREROUTING) for it? What is the port to DNAT?
> 
> I think udp 5060. So I have added below 2 rules . But it does not work at
> all.
> 
> iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 --dport 5060 -j 
> DNAT
> --to-destination 192.168.101.23:5060
> iptables -A FORWARD -p udp -d 192.168.101.23 --dport 5060 -j ACCEPT
> 
> Can you help me to solve this issue?
Yes. Give the asterisk box a proper ip. No natting. Natting on the 
client side is bad enough, you do not want to add sip proxy behind nat.

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=UTF-8"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
resend this mail, since it seems to have missed the list <br>
<br>
Indunil Jayasooriya wrote:
<blockquote
 cite="mid7ed6b0aa0703070151w18c102b8k36cd72455a30edb4@mail.gmail.com"
 type="cite"><br clear="all">
Hi, <br>
  <br>
I am running a ASTERISK BOX behind a firewall. It is at DMZ .<br>
  <br>
Now I want to connect to my ASTERISK BOX from Internet. So I want to
DNAT. How can I do it? <br>
  <br>
Pls assume that ip address that connects to Internet on firewall is <a
 href="http://1.2.3.4">1.2.3.4</a> and is attached to
eth0.<br>
And ASTERISK BOX is <a
href="http://192.168.101.23">192.168.101.23</a><br>
  <br>
Then, What is the rule (PREROUTING) for it? What is the port to DNAT? <br>
  <br>
I think udp 5060. So I have added below 2 rules . But it does not work
at all. <br>
  <br>
iptables -t nat -A PREROUTING -p udp -i eth0 -d <a
 href="http://1.2.3.4">1.2.3.4</a> --dport 5060 -j DNAT
--to-destination <a href="http://192.168.101.23:5060">
192.168.101.23:5060</a><br>
iptables -A FORWARD -p udp -d <a
href="http://192.168.101.23">192.168.101.23</a>
--dport 5060 -j ACCEPT<br>
  <br>
Can you help me to solve this issue? <br>
  <br>
</blockquote>
<br>
You can fill in the variables yourself:<br>
iptables -A FORWARD -i $EXTIF -o $INTIF -m multiport -p udp --dport
3478,4569,5060,10000:20000 -s $UNIVERSE -j ACCEPT<br>
iptables -t nat -A PREROUTING -i $EXTIF -m multiport -p udp --dport
3478,4569,5060,10000:20000 -j DNAT --to-destination 192.168.101.23<br>
<br>
SIP protocol (port 5060) <br>
AIX protocol (port 4569)<br>
STUN (port 3478) (not strictly needed)<br>
Port 10000:20000 are needed for the RTP traffic, configure it in
rtp.conf<br>
<br>
You also need to setup this in sip.conf:<br>
externip = 1.2.3.4<br>
localnet=192.168.101.0/24<br>
<br>
<br>
Theo<br>
<br>
</body>
</html>

> You can fill in the variables yourself:
> iptables -A FORWARD -i $EXTIF -o $INTIF -m multiport -p udp --dport 
> 3478,4569,5060,10000:20000 -s $UNIVERSE -j ACCEPT
> iptables -t nat -A PREROUTING -i $EXTIF -m multiport -p udp --dport 
> 3478,4569,5060,10000:20000 -j DNAT --to-destination 192.168.101.23
> Port 10000:20000 are needed for the RTP traffic, configure it in rtp.conf

Hmm, I suppose one has to do the same on the client side?

I have an asterisk box that was behind a natting router (all ports 
forwarded to the asterisk box) that could accept connections from other 
clients but not from one client that was behind a natting router.