On 10/16/2016 05:39 PM, Jerry Geis wrote:> I am running asterisk (11.23.0) on a C5 machine. Working fine on port 5060
> udp. I have need to tcpenable=yes SIP and run that on port 5068.
> Since port 5060 is already running I was going to redirect 5068 to 5060.
Oh, yuck. SIP includes information about an endpoint's address and port
in the payload of its data. The NAT helpers *should* rewrite that, but
only if your payload isn't encrypted. Asterisk can be configured with
knowledge of its NATed address and port, but... Well, this all becomes
kind of a mess.
It's best to avoid NAT where ever possible, in general, but more so with
SIP than with some other common protocols.
> 192.168.10.201 is my machine, 192.168.1.3 is the other machine. 1.3 should
> connect to 10.201 on port 5068.
>
> so I did:
>
> iptables -t nat -A PREROUTING -p tcp -d 192.168.10.201 --dport 5068 -j
> REDIRECT --to-port 5060
> iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.3 --dport
> 5060 -j REDIRECT --to-port 5068
>
> This did not seem to work. iptable -t nat -L -n -v shows packets going out
> to
> 1.3 but "0" on the input for 5068.
Is there a reason you can't configure asterisk to connect to
192.168.1.3:5068, without using NAT? And the reverse? Can 192.168.1.3
not connect to 5060?
And if you're not seeing packets hit that rule, are you really sure
192.168.1.3 is sending packets to 192.168.10.201 port 5068? Do you see
them using a diagnostic tool like tcpdump?
> So then I added
>
> iptables -t nat -A OUTPUT -p tcp -d 192.168.10.201 --dport 5068 -j REDIRECT
> --to-port 5060
> iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 5068 -j REDIRECT
> --to-port 5060
The output chain with a destination address of the local machine? I'm
not really sure what you're trying to do here.