Hi, I have continuos and strange problem with SIP VoIP system, which consist of SER (sip express router) hosted by our provider, XTen client, and Grandstream hardware sip IP phone. The same software and hardware were successfully used by another people (unfortunately, they do not run shorewall, so I cannot ask them what to do). Our shorewall firewall machine is SuSE 9 Linux PC with 2 network cards (external static IP 62.85.100.103, static internal static IPs 192.168.0.xx, no dhcp). My config is based on two-interface sample. ------------------- ---- interfaces ---- ------------------- net eth0 detect norfc1918,routefilter loc eth1 detect ------------- --- masq --- ------------- eth0 eth1 62.85.100.103 ------------ --- policy ---- ------------ loc net ACCEPT fw net ACCEPT fw loc ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info ------------- --- rules --- ------------ # SIP Client Ports ACCEPT loc net tcp 5060 5060 ACCEPT loc net udp 5060 5060 ACCEPT loc net udp 8000:8020 8000:8020 ACCEPT net loc tcp 5060 5060 ACCEPT net loc udp 5060 5060 ACCEPT net loc udp 8000:8020 8000:8020 ACCEPT net fw tcp 5060 5060 ACCEPT net fw udp 5060 5060 ACCEPT net fw udp 8000:8020 8000:8020 ----------------- nat - file is empty (left as is from two-interface sample). ---------------- SIP client like XTen uses 5060 tcp/udp to establish communications and 8000 - 8020 for voice transmission. The login to SIP server is OK. I can even hear another people who call me or whom calling I am. However, they do NOT hear me. Microphone is OK, verified. Anyone have an idea what I did wrong? Thanks in advance for any suggestion(s). ********************************************* * Best Regards --- Andrei Verovski * * Personal Home Page * http://snow.prohosting.com/guru4mac/ * Mac, Linux, DTP, Development, IT WEB Site *********************************************
Hi Andrei There is nothing wrong with shorewall but with your configuration.> ------------- > --- masq --- > ------------- > eth0 eth1 62.85.100.103So your internal LAN is behind a SNAT.> ------------ > --- policy ---- > ------------ > loc net ACCEPT > fw net ACCEPT > fw loc ACCEPT > net all DROP info > > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT infoFine.> ------------- > --- rules --- > ------------ > # SIP Client Ports > > ACCEPT loc net tcp 5060 5060 > ACCEPT loc net udp 5060 5060 > ACCEPT loc net udp 8000:8020 8000:8020Why are you doing this? Look at the first rule of your policy file. So we can take out this three lines.> ACCEPT net loc tcp 5060 5060 > ACCEPT net loc udp 5060 5060 > ACCEPT net loc udp 8000:8020 8000:8020This three lines are also not necessary as your SIP clients & phones register with SER. So take them out. They make really no sense in your configuration.> ACCEPT net fw tcp 5060 5060 > ACCEPT net fw udp 5060 5060 > ACCEPT net fw udp 8000:8020 8000:8020Do you have any SIP software running ON your firewall? If not then take out these three lines. And then try again and report. Sascha ------------------------------------------------------- Sascha Knific K Systems & Design Tel. +49-8151-773260 Wittelsbacherstr. 6a Fax. +49-8151-773262 82319 Starnberg, Germany knific@k-sysdes.net http://www.k-sysdes.net> -----Ursprüngliche Nachricht----- > Von: shorewall-users-bounces@lists.shorewall.net[mailto:shorewall-users-> bounces@lists.shorewall.net] Im Auftrag von Andrei Verovski (akaMacGuru)> Gesendet: Donnerstag, 4. März 2004 14:57 > An: shorewall-users@lists.shorewall.net > Betreff: [Shorewall-users] SIP VoIP Config Question > > Hi, > > I have continuos and strange problem with SIP VoIP system, which > consist of SER (sip express router) hosted by our provider, XTen > client, and Grandstream hardware sip IP phone. The same software and > hardware were successfully used by another people (unfortunately, they > do not run shorewall, so I cannot ask them what to do). > > Our shorewall firewall machine is SuSE 9 Linux PC with 2 network cards > (external static IP 62.85.100.103, static internal static IPs > 192.168.0.xx, no dhcp). > > My config is based on two-interface sample. > > ------------------- > ---- interfaces ---- > ------------------- > net eth0 detect norfc1918,routefilter > loc eth1 detect > > ------------- > --- masq --- > ------------- > eth0 eth1 62.85.100.103 > > ------------ > --- policy ---- > ------------ > loc net ACCEPT > fw net ACCEPT > fw loc ACCEPT > net all DROP info > > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > ------------- > --- rules --- > ------------ > # SIP Client Ports > > ACCEPT loc net tcp 5060 5060 > ACCEPT loc net udp 5060 5060 > ACCEPT loc net udp 8000:8020 8000:8020 > > ACCEPT net loc tcp 5060 5060 > ACCEPT net loc udp 5060 5060 > ACCEPT net loc udp 8000:8020 8000:8020 > > ACCEPT net fw tcp 5060 5060 > ACCEPT net fw udp 5060 5060 > ACCEPT net fw udp 8000:8020 8000:8020 > > ----------------- > nat - file is empty (left as is from two-interface sample). > > ---------------- > > SIP client like XTen uses 5060 tcp/udp to establish communications and > 8000 - 8020 for voice transmission. The login to SIP server is OK. I > can even hear another people who call me or whom calling I am.However,> they do NOT hear me. Microphone is OK, verified. > > Anyone have an idea what I did wrong? > > Thanks in advance for any suggestion(s). > > > ********************************************* > * Best Regards --- Andrei Verovski > * > * Personal Home Page > * http://snow.prohosting.com/guru4mac/ > * Mac, Linux, DTP, Development, IT WEB Site > ********************************************* > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Hi, Sascha, Thank you very much for reply. I have put a comment below... On Mar 4, 2004, at 16:41, Sascha Knific wrote:> Hi Andrei > > There is nothing wrong with shorewall but with your configuration. > >> ------------- >> --- masq --- >> ------------- >> eth0 eth1 62.85.100.103 > > So your internal LAN is behind a SNAT. >SIP clients should work behind SNAT. I have specified NAT address in SIP client prefs.>> ------------ >> --- policy ---- >> ------------ >> loc net ACCEPT >> fw net ACCEPT >> fw loc ACCEPT >> net all DROP info >> >> # THE FOLLOWING POLICY MUST BE LAST >> all all REJECT info > > Fine. > >> ------------- >> --- rules --- >> ------------ >> # SIP Client Ports >> >> ACCEPT loc net tcp 5060 5060 >> ACCEPT loc net udp 5060 5060 >> ACCEPT loc net udp 8000:8020 8000:8020 > > Why are you doing this? Look at the first rule of your policy file. So > we can take out this three lines.The rule (which allows all connections from loc to net) will be changed in the future, when I will finish SIP setup..> >> ACCEPT net loc tcp 5060 5060 >> ACCEPT net loc udp 5060 5060 >> ACCEPT net loc udp 8000:8020 8000:8020 > > This three lines are also not necessary as your SIP clients & phones > register with SER. So take them out. They make really no sense in your > configuration.OK.> >> ACCEPT net fw tcp 5060 5060 >> ACCEPT net fw udp 5060 5060 >> ACCEPT net fw udp 8000:8020 8000:8020 > > Do you have any SIP software running ON your firewall? If not then take > out these three lines. >Yes, I have tried to run SIP client (linphone and kphone) on firewall machine. Does not work either.> And then try again and report. > > Sascha >Well, the problem is that NONE of my rules block or disturb SIP. I think I have missed something, but cannot understand what. I have tried SIP clients from Mac, Win and Linux, with the same result. ********************************************* * Best Regards --- Andrei Verovski * * Personal Home Page * http://snow.prohosting.com/guru4mac/ * Mac, Linux, DTP, Development, IT WEB Site *********************************************
Hi Andrei
so what is the result? Is it that´s basicly working, you can hear the
other but the other doesn´t hear you? With every client software you
have tried?
Try checking your shorewall log while your are placing a call ("tail -f
/var/log/messages") and check for rejected or drop packets.
Try port forwarding to you SIP client.
rules
-----
DNAT net loc:<IP Address of your SIP client> udp
5060
DNAT net loc:<IP Address of your SIP client> udp
8000:8010
-----
Or read this: http://www.sipcenter.com/files/SIPNATtraversal.pdf
I haven´t read it myself but it should help you.
If you are going to use multiple SIP clients/phones in your internal
network consider placing a SIP proxy inbetween. It makes some things
easier.
Regards
Sascha
-------------------------------------------------------
Sascha Knific K Systems & Design
Tel. +49-8151-773260 Wittelsbacherstr. 6a
Fax. +49-8151-773262 82319 Starnberg, Germany
knific@k-sysdes.net http://www.k-sysdes.net
> -----Ursprüngliche Nachricht-----
> Von: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-> bounces@lists.shorewall.net] Im Auftrag von Andrei Verovski (aka
MacGuru)> Gesendet: Donnerstag, 4. März 2004 16:26
> An: Mailing List for Experienced Shorewall Users
> Betreff: Re: AW: [Shorewall-users] SIP VoIP Config Question
>
> Hi, Sascha,
>
> Thank you very much for reply. I have put a comment below...
>
> On Mar 4, 2004, at 16:41, Sascha Knific wrote:
>
> > Hi Andrei
> >
> > There is nothing wrong with shorewall but with your configuration.
> >
> >> -------------
> >> --- masq ---
> >> -------------
> >> eth0 eth1 62.85.100.103
> >
> > So your internal LAN is behind a SNAT.
> >
>
> SIP clients should work behind SNAT. I have specified NAT address in
> SIP client prefs.
>
>
> >> ------------
> >> --- policy ----
> >> ------------
> >> loc net ACCEPT
> >> fw net ACCEPT
> >> fw loc ACCEPT
> >> net all DROP info
> >>
> >> # THE FOLLOWING POLICY MUST BE LAST
> >> all all REJECT info
> >
> > Fine.
> >
> >> -------------
> >> --- rules ---
> >> ------------
> >> # SIP Client Ports
> >>
> >> ACCEPT loc net tcp 5060 5060
> >> ACCEPT loc net udp 5060 5060
> >> ACCEPT loc net udp 8000:8020 8000:8020
> >
> > Why are you doing this? Look at the first rule of your policy file.
So> > we can take out this three lines.
>
> The rule (which allows all connections from loc to net) will be
changed> in the future, when I will finish SIP setup..
>
> >
> >> ACCEPT net loc tcp 5060 5060
> >> ACCEPT net loc udp 5060 5060
> >> ACCEPT net loc udp 8000:8020 8000:8020
> >
> > This three lines are also not necessary as your SIP clients &
phones
> > register with SER. So take them out. They make really no sense in
your> > configuration.
>
> OK.
>
> >
> >> ACCEPT net fw tcp 5060 5060
> >> ACCEPT net fw udp 5060 5060
> >> ACCEPT net fw udp 8000:8020 8000:8020
> >
> > Do you have any SIP software running ON your firewall? If not then
take> > out these three lines.
> >
>
> Yes, I have tried to run SIP client (linphone and kphone) on firewall
> machine. Does not work either.
>
> > And then try again and report.
> >
> > Sascha
> >
>
> Well, the problem is that NONE of my rules block or disturb SIP. I
> think I have missed something, but cannot understand what. I have
tried> SIP clients from Mac, Win and Linux, with the same result.
>
>
> *********************************************
> * Best Regards --- Andrei Verovski
> *
> * Personal Home Page
> * http://snow.prohosting.com/guru4mac/
> * Mac, Linux, DTP, Development, IT WEB Site
> *********************************************
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm