[Astlinux-users] RFC: IMPORTANT astfw changes

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Everyone,

  I know that it is a Friday but I have recently discovered an
important issue in AstLinux.

  Many people use AstLinux machines as both router/firewalls and
Asterisk machines.  This can be a problem if you try to use a SIP
device behind the AstLinux machine IF it registers to a SIP endpoint
on the other side of local nat:
                         (NAT)
SIP Phone -> AstLinux box -> SIP Server

  This does not effect setups where the SIP Phone registers to
Asterisk and Asterisk maintains the connection to the SIP Server.

  In this scenario, the NAT code in the Linux kernel will attempt to
use port 5060 on the external interface of the AstLinux machine.  It
does this for three reasons:

1)  5060 is above 1023
2)  It defaults to using the same port that is used on the internal
side (if possible)
3)  It doesn't know that there is something listening on that port locally.

  This has the effect of blocking access (via the external interface)
to the instance of Asterisk that is running on the AstLinux machine.

BAD!

  The solution is to use the --to-ports argument for the MASQUERADE
target on tcp and udp connections:

what was:

iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -j MASQUERADE

is now:
iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -p udp -j
MASQUERADE --to-ports $MASQPORTS
iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -p tcp -j
MASQUERADE --to-ports $MASQPORTS
iptables -t nat -A POSTROUTING -s $IPBASE.0/$INTNM -o $EXTIF -j MASQUERADE

  This configuration will masquerade connections on the external
interface just like the old example.  The only difference is that on
tcp and udp connections it will only use the ports defined by
MASQPORTS for the outgoing port number on the external interface.

  I have been using MASQPORTS=30000-60000 and it has been working
quite well.  I am thinking that this should be the default in
AstLinux.  The only problem is that #2 (from above) is there for a
reason.  Some applications need to use the same port number.  I have
yet to run into such an application, but you never know...

  Should MASQPORTS=30000-60000 be default on new AstLinux systems?

Thanks!

-- 
Kristian Kielhofner