Menu
▾
▴
astlinux-users
|
From: Kristian K. <kri...@gm...> - 2007-03-02 21:12:56
|
Hello Everyone,
I know that it is a Friday but I have recently discovered an
important issue in AstLinux.
Many people use AstLinux machines as both router/firewalls and
Asterisk machines. This can be a problem if you try to use a SIP
device behind the AstLinux machine IF it registers to a SIP endpoint
on the other side of local nat:
(NAT)
SIP Phone -> AstLinux box -> SIP Server
This does not effect setups where the SIP Phone registers to
Asterisk and Asterisk maintains the connection to the SIP Server.
In this scenario, the NAT code in the Linux kernel will attempt to
use port 5060 on the external interface of the AstLinux machine. It
does this for three reasons:
1) 5060 is above 1023
2) It defaults to using the same port that is used on the internal
side (if possible)
3) It doesn't know that there is something listening on that port locally.
This has the effect of blocking access (via the external interface)
to the instance of Asterisk that is running on the AstLinux machine.
BAD!
The solution is to use the --to-ports argument for the MASQUERADE
target on tcp and udp connections:
what was:
iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -j MASQUERADE
is now:
iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -p udp -j
MASQUERADE --to-ports $MASQPORTS
iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -p tcp -j
MASQUERADE --to-ports $MASQPORTS
iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -j MASQUERADE
This configuration will masquerade connections on the external
interface just like the old example. The only difference is that on
tcp and udp connections it will only use the ports defined by
MASQPORTS for the outgoing port number on the external interface.
I have been using MASQPORTS=30000-60000 and it has been working
quite well. I am thinking that this should be the default in
AstLinux. The only problem is that #2 (from above) is there for a
reason. Some applications need to use the same port number. I have
yet to run into such an application, but you never know...
Should MASQPORTS=30000-60000 be default on new AstLinux systems?
Thanks!
--
Kristian Kielhofner
|
|
From: Lonnie A. <li...@lo...> - 2007-03-03 00:14:16
|
On Mar 2, 2007, at 3:12 PM, Kristian Kielhofner wrote: > In this scenario, the NAT code in the Linux kernel will attempt to > use port 5060 on the external interface of the AstLinux machine. It > does this for three reasons: > > 1) 5060 is above 1023 > 2) It defaults to using the same port that is used on the internal > side (if possible) > 3) It doesn't know that there is something listening on that port > locally. Kristian, I don't understand your #3. If you want your asterisk box to 'listen' on 5060, you have to port forward 5060 to your asterisk box (192.168.1.10) using "ipnat" on FreeBSD rdr sis1 0/0 port 5060 -> 192.168.1.10 port 5060 udp This would make port 5060 on the WAN interface unavailable, when a SIP phone registered out the WAN, correct? I instincts say your suggested changes are unnecessary, but then again, I use m0n0wall. <smile> Lonnie |
|
From: Kristian K. <kri...@gm...> - 2007-03-05 16:01:08
|
On 3/2/07, Lonnie Abelbeck <li...@lo...> wrote: > > On Mar 2, 2007, at 3:12 PM, Kristian Kielhofner wrote: > > > In this scenario, the NAT code in the Linux kernel will attempt to > > use port 5060 on the external interface of the AstLinux machine. It > > does this for three reasons: > > > > 1) 5060 is above 1023 > > 2) It defaults to using the same port that is used on the internal > > side (if possible) > > 3) It doesn't know that there is something listening on that port > > locally. > > Kristian, > > I don't understand your #3. > If you want your asterisk box to 'listen' on 5060, you have to port > forward 5060 to your asterisk box (192.168.1.10) > > using "ipnat" on FreeBSD > rdr sis1 0/0 port 5060 -> 192.168.1.10 port 5060 udp > > This would make port 5060 on the WAN interface unavailable, when a > SIP phone registered out the WAN, correct? > > I instincts say your suggested changes are unnecessary, > > but then again, I use m0n0wall. <smile> > > Lonnie > Lonnie, I think it is possible that you are misunderstanding me. Basically, if you use AstLinux in router mode and register a DIFFERENT SIP device behind it (nothing to do with Asterisk at all), you will block access to port 5060 because the Linux kernel will (by default) PAT using the same external port number as the device. Not only is m0n0 FreeBSD based (I don't know what the PAT specifics are there), it doesn't run Asterisk so it doesn't have this problem. -- Kristian Kielhofner |
|
From: Lonnie A. <li...@lo...> - 2007-03-05 17:52:50
|
Kristian, I think I understand you, maybe I am wrong? <smile> But, I will try one more time. I'm no iptables guru, but this might be what I am suggesting: iptables -t nat -A PREROUTING -i sis1 -p udp =96dport 5060 -j DNAT =96to = =20 192.168.1.10:5060 This puts an inbound, external udp/5060 rule in the NAT table =20 pointing to your asterisk box. If a different SIP device now tries =20 to register out, it will not be given the external/public of 5060 =20 since it is reserved by the NAT rule above. correct? Of course, if you want to receive inbound SIP to asterisk, you would =20 also have to add something like: iptables -A FORWARD --destination 192.168.1.10 -p udp --dport 5060 -j =20= ACCEPT Is this clear? Lonnie On Mar 5, 2007, at 10:01 AM, Kristian Kielhofner wrote: > On 3/2/07, Lonnie Abelbeck <li...@lo...> wrote: >> >> On Mar 2, 2007, at 3:12 PM, Kristian Kielhofner wrote: >> >>> In this scenario, the NAT code in the Linux kernel will attempt to >>> use port 5060 on the external interface of the AstLinux machine. It >>> does this for three reasons: >>> >>> 1) 5060 is above 1023 >>> 2) It defaults to using the same port that is used on the internal >>> side (if possible) >>> 3) It doesn't know that there is something listening on that port >>> locally. >> >> Kristian, >> >> I don't understand your #3. >> If you want your asterisk box to 'listen' on 5060, you have to port >> forward 5060 to your asterisk box (192.168.1.10) >> >> using "ipnat" on FreeBSD >> rdr sis1 0/0 port 5060 -> 192.168.1.10 port 5060 udp >> >> This would make port 5060 on the WAN interface unavailable, when a >> SIP phone registered out the WAN, correct? >> >> I instincts say your suggested changes are unnecessary, >> >> but then again, I use m0n0wall. <smile> >> >> Lonnie >> > > Lonnie, > > I think it is possible that you are misunderstanding me. > > Basically, if you use AstLinux in router mode and register a > DIFFERENT SIP device behind it (nothing to do with Asterisk at all), > you will block access to port 5060 because the Linux kernel will (by > default) PAT using the same external port number as the device. > > Not only is m0n0 FreeBSD based (I don't know what the PAT specifics > are there), it doesn't run Asterisk so it doesn't have this problem. > > --=20 > Kristian Kielhofner > > ----------------------------------------------------------------------=20= > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to =20 > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?=20 > page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to =20= > pa...@kr.... > |
|
From: <ast...@el...> - 2007-03-05 00:22:59
|
> > I have been using MASQPORTS=30000-60000 and it has been working > quite well. I am thinking that this should be the default in > AstLinux. The only problem is that #2 (from above) is there for a > reason. Some applications need to use the same port number. I have > yet to run into such an application, but you never know... > > Should MASQPORTS=30000-60000 be default on new AstLinux systems? As long as it you can tweak it in rc.conf, I'm not going to complain. There are places that ask for 10k-30k so people need to adjust pretty easily. This will actually be a sticking point for some people potentially, when they aren't quite sure what their range should be, and have to experiment/tweak (such as when their provider doesn't officially support other hardware and don't feel like telling you the range). Actually, this brings up an ugly point I ran across while fooling around with my WRAP, though maybe I was being dumb. I had it attached to two different networks, one for primary service, and a second network to be a branch office PBX below some other SIP server. The problem is, both primary and office networks required DHCP, and the office network SIP server was on another subnet. I did an ugly hack where I set eth0 to be EXTIF, and I did not set eth2 as a INTIF. Instead I tweaked the iptables setup so I had a third option for the DMZ setup I called intme, which created an internal use connection that linked exclusively to the WRAP and couldn't go downstream into the eth1 internal network, or back upstream and out through eth0. In rc.conf I defined a static IP and associated information. Unfortunately, this did solve all my problems, as I periodically had to undo the setup and set eth2 as EXTIF just to tickle the office DHCP server (it doesn't behave and check an IP before assigning, so I had my IP address stolen before). That, and I had to manually add a route to the office SIP server through the office network gateway, otherwise the WRAP would use the default route and never connect. Is there a cleaner way of setting up a second network link that isn't a failover link, being a DHCP client? I was connecting to a trusted network on the office link so things were okay, but in the future I would want to apply the astfw firewall rules to that second link. It would also be nice to be able to define the additional route information in rc.conf for the office link. I suppose this is unique to devices with three or more interfaces, but it seems like you have the situation of above/below/sideways, and the link situation of "talk to only me"/"talk to me and stuff below"/"talk to only stuff below"/"talk to only above"/"talk to me and above"/"talk to everybody"/"talk to everybody but me". |
|
From: Kristian K. <kri...@gm...> - 2007-03-05 19:55:35
|
On 3/5/07, Lonnie Abelbeck <li...@lo...> wrote: > Kristian, > > I think I understand you, maybe I am wrong? <smile> > > But, I will try one more time. > > I'm no iptables guru, but this might be what I am suggesting: > iptables -t nat -A PREROUTING -i sis1 -p udp =96dport 5060 -j DNAT =96to > 192.168.1.10:5060 > > This puts an inbound, external udp/5060 rule in the NAT table > pointing to your asterisk box. If a different SIP device now tries > to register out, it will not be given the external/public of 5060 > since it is reserved by the NAT rule above. correct? > > Of course, if you want to receive inbound SIP to asterisk, you would > also have to add something like: > iptables -A FORWARD --destination 192.168.1.10 -p udp --dport 5060 -j > ACCEPT > > Is this clear? > > Lonnie > Lonnie, I started on FreeBSD/OpenBSD and I understand ipfw/pf rules quite well. I appreciate the translation to iptables for the other readers :). We are talking about two different things. You want to put an Asterisk box behind another Linux/iptables router (that isn't running Asterisk) and translate traffic on the Linux/iptables box. I want to put a SIP device behind a Linux/iptables router that is running Asterisk. This causes a problem. The iptables MASQUERADE & SNAT (not DNAT) iptables code (by default) will assign port 5060 on the external interface as the port to be used for PAT with the SIP device BEHIND the Linux router. This will make port 5060 on the Linux/iptables/Asterisk box to be inaccessible via SIP because incoming traffic to the external interface on port 5060 will be translated and routed to the SIP device behind nat because of the iptables MASQ state. Using --to-ports forces the MASQ/SNAT code to only use ports in the defined range - not the port used by the device inside the NAT. Is this making sense to anyone else? If so, can you explain it better than I can :)? --=20 Kristian Kielhofner |
|
From: Bryce C. <br...@rh...> - 2007-03-05 20:28:32
|
It makes sense to me, but nonetheless here's my translation/simplification. If a router is running Asterisk, with SIP enabled, then port 5060 (and whatever RTP range is defined) are claimed by Asterisk. Generally, this does not present a problem, except until you have to try and NAT another SIP device behind it. In order for the SIP device to communicate to the outside (technically, for the outside to talk to it), there must be a port forward in place on the router. This is where the conflict occurs. When the SIP device connects to its outside host, its' identified as being at 123.45.67.8:5060 (source address), however 123.45.67.8 is the IP of the Astlinux router and port 5060 is the port Asterisk is already listening on. When the remote service tries to call the SIP device, it actually connects to Asterisk and the call won't go through. As for the "fix" with MASQPORTS, you're only forwarding the RTP data so audio will go through without a hitch, however this does not solve the conflicting claims for port 5060. Simplest fix is to set your SIP phone, or Asterisk, to use a different port for SIP than 5060 (I think 5082 is another common choice). Regards, Bryce Chidester Rhino Equipment Corp. br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. Kristian Kielhofner wrote: > On 3/5/07, Lonnie Abelbeck <li...@lo...> wrote: > >> Kristian, >> >> I think I understand you, maybe I am wrong? <smile> >> >> But, I will try one more time. >> >> I'm no iptables guru, but this might be what I am suggesting: >> iptables -t nat -A PREROUTING -i sis1 -p udp –dport 5060 -j DNAT –to >> 192.168.1.10:5060 >> >> This puts an inbound, external udp/5060 rule in the NAT table >> pointing to your asterisk box. If a different SIP device now tries >> to register out, it will not be given the external/public of 5060 >> since it is reserved by the NAT rule above. correct? >> >> Of course, if you want to receive inbound SIP to asterisk, you would >> also have to add something like: >> iptables -A FORWARD --destination 192.168.1.10 -p udp --dport 5060 -j >> ACCEPT >> >> Is this clear? >> >> Lonnie >> >> > > Lonnie, > > I started on FreeBSD/OpenBSD and I understand ipfw/pf rules quite > well. I appreciate the translation to iptables for the other > readers :). > > We are talking about two different things. You want to put an > Asterisk box behind another Linux/iptables router (that isn't running > Asterisk) and translate traffic on the Linux/iptables box. > > I want to put a SIP device behind a Linux/iptables router that is > running Asterisk. > > This causes a problem. > > The iptables MASQUERADE & SNAT (not DNAT) iptables code (by default) > will assign port 5060 on the external interface as the port to be used > for PAT with the SIP device BEHIND the Linux router. This will make > port 5060 on the Linux/iptables/Asterisk box to be inaccessible via > SIP because incoming traffic to the external interface on port 5060 > will be translated and routed to the SIP device behind nat because of > the iptables MASQ state. > > Using --to-ports forces the MASQ/SNAT code to only use ports in the > defined range - not the port used by the device inside the NAT. > > Is this making sense to anyone else? If so, can you explain it > better than I can :)? > > |
|
From: Lonnie A. <li...@lo...> - 2007-03-05 21:15:49
|
Bryce, > When the SIP device connects to its outside host, its' identified =20 > as being at 123.45.67.8:5060 (source address), however 123.45.67.8 =20 > is the IP of the Astlinux router and port 5060 is the port Asterisk =20= > is already listening on. Isn't iptables smart enough to realize that the udp/external 5060 nat =20= table is in use, and automatically assign a different external port =20 of the 2'nd SIP device? Lonnie On Mar 5, 2007, at 2:27 PM, Bryce Chidester wrote: > It makes sense to me, but nonetheless here's my translation/=20 > simplification. > > If a router is running Asterisk, with SIP enabled, then port 5060 =20 > (and whatever RTP range is defined) are claimed by Asterisk. =20 > Generally, this does not present a problem, except until you have =20 > to try and NAT another SIP device behind it. In order for the SIP =20 > device to communicate to the outside (technically, for the outside =20 > to talk to it), there must be a port forward in place on the =20 > router. This is where the conflict occurs. > When the SIP device connects to its outside host, its' identified =20 > as being at 123.45.67.8:5060 (source address), however 123.45.67.8 =20 > is the IP of the Astlinux router and port 5060 is the port Asterisk =20= > is already listening on. When the remote service tries to call the =20 > SIP device, it actually connects to Asterisk and the call won't go =20 > through. > As for the "fix" with MASQPORTS, you're only forwarding the RTP =20 > data so audio will go through without a hitch, however this does =20 > not solve the conflicting claims for port 5060. > Simplest fix is to set your SIP phone, or Asterisk, to use a =20 > different port for SIP than 5060 (I think 5082 is another common =20 > choice). > Regards, > Bryce Chidester > Rhino Equipment Corp. > br...@rh... > Tel: +1 (480) 940-1826 x6351 > Fax: +1 (480) 961-1826 > FWD: 633686 x6351 > IP: asterisk.rhinoequipment.com x6351 > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE =20 > PROPRIETARY MATERIAL and is thus for use only by the intended =20 > recipient. If you received this in error, please contact the =20 > sender and delete the email and its attachments from all computers. > > > Kristian Kielhofner wrote: >> On 3/5/07, Lonnie Abelbeck <li...@lo...> wrote: >> >>> Kristian, >>> >>> I think I understand you, maybe I am wrong? >>> >>> But, I will try one more time. >>> >>> I'm no iptables guru, but this might be what I am suggesting: >>> iptables -t nat -A PREROUTING -i sis1 -p udp =96dport 5060 -j DNAT = =96to >>> 192.168.1.10:5060 >>> >>> This puts an inbound, external udp/5060 rule in the NAT table >>> pointing to your asterisk box. If a different SIP device now tries >>> to register out, it will not be given the external/public of 5060 >>> since it is reserved by the NAT rule above. correct? >>> >>> Of course, if you want to receive inbound SIP to asterisk, you would >>> also have to add something like: >>> iptables -A FORWARD --destination 192.168.1.10 -p udp --dport =20 >>> 5060 -j >>> ACCEPT >>> >>> Is this clear? >>> >>> Lonnie >>> >>> >> Lonnie, >> >> I started on FreeBSD/OpenBSD and I understand ipfw/pf rules quite >> well. I appreciate the translation to iptables for the other >> readers :). >> >> We are talking about two different things. You want to put an >> Asterisk box behind another Linux/iptables router (that isn't running >> Asterisk) and translate traffic on the Linux/iptables box. >> >> I want to put a SIP device behind a Linux/iptables router that is >> running Asterisk. >> >> This causes a problem. >> >> The iptables MASQUERADE & SNAT (not DNAT) iptables code (by =20 >> default) >> will assign port 5060 on the external interface as the port to be =20 >> used >> for PAT with the SIP device BEHIND the Linux router. This will make >> port 5060 on the Linux/iptables/Asterisk box to be inaccessible via >> SIP because incoming traffic to the external interface on port 5060 >> will be translated and routed to the SIP device behind nat because of >> the iptables MASQ state. >> >> Using --to-ports forces the MASQ/SNAT code to only use ports in the >> defined range - not the port used by the device inside the NAT. >> >> Is this making sense to anyone else? If so, can you explain it >> better than I can :)? >> >> > ----------------------------------------------------------------------=20= > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to =20 > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?=20 > page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV____________________________= ____=20 > _______________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to =20= > pa...@kr.... |
|
From: Bryce C. <br...@rh...> - 2007-03-05 21:24:53
|
I'm not an iptables guru and I have no idea who would do what. However, if iptables could somehow dynamically create port forwards (I didn't know it could), the issue is still that the 2nd SIP device thinks it's on 5060 so when it says From: <1234@IPADDR: 5060>, it tells the remote service to call back to 5060. I'm sure Kris can further expand on this, however I'm fairly certain that this is all just the common case you cannot both forward a port and host it locally on a router. Regards, Bryce Chidester Rhino Equipment Corp. br...@rh... Tel: +1 (480) 940-1826 x6351 Fax: +1 (480) 961-1826 FWD: 633686 x6351 IP: asterisk.rhinoequipment.com x6351 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. Lonnie Abelbeck wrote: > Bryce, > >> When the SIP device connects to its outside host, its' identified as >> being at 123.45.67.8:5060 (source address), however 123.45.67.8 is >> the IP of the Astlinux router and port 5060 is the port Asterisk is >> already listening on. > > Isn't iptables smart enough to realize that the udp/external 5060 nat > table is in use, and automatically assign a different external port > of the 2'nd SIP device? > > Lonnie > > On Mar 5, 2007, at 2:27 PM, Bryce Chidester wrote: > >> It makes sense to me, but nonetheless here's my >> translation/simplification. >> >> If a router is running Asterisk, with SIP enabled, then port 5060 >> (and whatever RTP range is defined) are claimed by Asterisk. >> Generally, this does not present a problem, except until you have to >> try and NAT another SIP device behind it. In order for the SIP device >> to communicate to the outside (technically, for the outside to talk >> to it), there must be a port forward in place on the router. This is >> where the conflict occurs. >> When the SIP device connects to its outside host, its' identified as >> being at 123.45.67.8:5060 (source address), however 123.45.67.8 is >> the IP of the Astlinux router and port 5060 is the port Asterisk is >> already listening on. When the remote service tries to call the SIP >> device, it actually connects to Asterisk and the call won't go through. >> As for the "fix" with MASQPORTS, you're only forwarding the RTP data >> so audio will go through without a hitch, however this does not solve >> the conflicting claims for port 5060. >> Simplest fix is to set your SIP phone, or Asterisk, to use a >> different port for SIP than 5060 (I think 5082 is another common choice). >> Regards, >> Bryce Chidester >> Rhino Equipment Corp. >> br...@rh... >> Tel: +1 (480) 940-1826 x6351 >> Fax: +1 (480) 961-1826 >> FWD: 633686 x6351 >> IP: asterisk.rhinoequipment.com x6351 >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the email and its attachments from all computers. >> >> >> >> Kristian Kielhofner wrote: >>> On 3/5/07, Lonnie Abelbeck <li...@lo...> wrote: >>> >>>> Kristian, >>>> >>>> I think I understand you, maybe I am wrong? >>>> >>>> But, I will try one more time. >>>> >>>> I'm no iptables guru, but this might be what I am suggesting: >>>> iptables -t nat -A PREROUTING -i sis1 -p udp –dport 5060 -j DNAT –to >>>> 192.168.1.10:5060 >>>> >>>> This puts an inbound, external udp/5060 rule in the NAT table >>>> pointing to your asterisk box. If a different SIP device now tries >>>> to register out, it will not be given the external/public of 5060 >>>> since it is reserved by the NAT rule above. correct? >>>> >>>> Of course, if you want to receive inbound SIP to asterisk, you would >>>> also have to add something like: >>>> iptables -A FORWARD --destination 192.168.1.10 -p udp --dport 5060 -j >>>> ACCEPT >>>> >>>> Is this clear? >>>> >>>> Lonnie >>>> >>>> >>> Lonnie, >>> >>> I started on FreeBSD/OpenBSD and I understand ipfw/pf rules quite >>> well. I appreciate the translation to iptables for the other >>> readers :). >>> >>> We are talking about two different things. You want to put an >>> Asterisk box behind another Linux/iptables router (that isn't running >>> Asterisk) and translate traffic on the Linux/iptables box. >>> >>> I want to put a SIP device behind a Linux/iptables router that is >>> running Asterisk. >>> >>> This causes a problem. >>> >>> The iptables MASQUERADE & SNAT (not DNAT) iptables code (by default) >>> will assign port 5060 on the external interface as the port to be used >>> for PAT with the SIP device BEHIND the Linux router. This will make >>> port 5060 on the Linux/iptables/Asterisk box to be inaccessible via >>> SIP because incoming traffic to the external interface on port 5060 >>> will be translated and routed to the SIP device behind nat because of >>> the iptables MASQ state. >>> >>> Using --to-ports forces the MASQ/SNAT code to only use ports in the >>> defined range - not the port used by the device inside the NAT. >>> >>> Is this making sense to anyone else? If so, can you explain it >>> better than I can :)? >>> >>> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________ >> <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________> >> Astlinux-users mailing list >> Ast...@li... >> <mailto:Ast...@li...> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pa...@kr... <mailto:pa...@kr...>. > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2007-03-05 21:48:16
|
Kristian, I will be quiet now, I looked at your "astfw" code... too much to get =20= my brain around on this Monday. In my thinking I was 'assuming' that asterisk was sitting behind the =20 same NAT as would any LAN IP's, when a WAN interface is specified =20 (non-PBX only mode). This is where I got confused. I have to trust Kristian on this one. Sorry for all the comments... Lonnie On Mar 5, 2007, at 1:55 PM, Kristian Kielhofner wrote: > On 3/5/07, Lonnie Abelbeck <li...@lo...> wrote: >> Kristian, >> >> I think I understand you, maybe I am wrong? <smile> >> >> But, I will try one more time. >> >> I'm no iptables guru, but this might be what I am suggesting: >> iptables -t nat -A PREROUTING -i sis1 -p udp =96dport 5060 -j DNAT = =96to >> 192.168.1.10:5060 >> >> This puts an inbound, external udp/5060 rule in the NAT table >> pointing to your asterisk box. If a different SIP device now tries >> to register out, it will not be given the external/public of 5060 >> since it is reserved by the NAT rule above. correct? >> >> Of course, if you want to receive inbound SIP to asterisk, you would >> also have to add something like: >> iptables -A FORWARD --destination 192.168.1.10 -p udp --dport 5060 -j >> ACCEPT >> >> Is this clear? >> >> Lonnie >> > > Lonnie, > > I started on FreeBSD/OpenBSD and I understand ipfw/pf rules quite > well. I appreciate the translation to iptables for the other > readers :). > > We are talking about two different things. You want to put an > Asterisk box behind another Linux/iptables router (that isn't running > Asterisk) and translate traffic on the Linux/iptables box. > > I want to put a SIP device behind a Linux/iptables router that is > running Asterisk. > > This causes a problem. > > The iptables MASQUERADE & SNAT (not DNAT) iptables code (by default) > will assign port 5060 on the external interface as the port to be used > for PAT with the SIP device BEHIND the Linux router. This will make > port 5060 on the Linux/iptables/Asterisk box to be inaccessible via > SIP because incoming traffic to the external interface on port 5060 > will be translated and routed to the SIP device behind nat because of > the iptables MASQ state. > > Using --to-ports forces the MASQ/SNAT code to only use ports in the > defined range - not the port used by the device inside the NAT. > > Is this making sense to anyone else? If so, can you explain it > better than I can :)? > > --=20 > Kristian Kielhofner > > ----------------------------------------------------------------------=20= > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to =20 > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?=20 > page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to =20= > pa...@kr.... > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X