Re: [Astlinux-users] RFC: IMPORTANT astfw changes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Kristian,

I think I understand you, maybe I am wrong? <smile>

But, I will try one more time.

I'm no iptables guru, but this might be what I am suggesting:
iptables -t nat -A PREROUTING -i sis1 -p udp =96dport 5060 -j DNAT =96to =
=20
192.168.1.10:5060

This puts an inbound, external udp/5060 rule in the NAT table =20
pointing to your asterisk box.  If a different SIP device now tries =20
to register out, it will not be given the external/public of 5060 =20
since it is reserved by the NAT rule above.  correct?

Of course, if you want to receive inbound SIP to asterisk, you would =20
also have to add something like:
iptables -A FORWARD --destination 192.168.1.10 -p udp --dport 5060 -j =20=

ACCEPT

Is this clear?

Lonnie

On Mar 5, 2007, at 10:01 AM, Kristian Kielhofner wrote:

> On 3/2/07, Lonnie Abelbeck <li...@lo...> wrote:
>>
>> On Mar 2, 2007, at 3:12 PM, Kristian Kielhofner wrote:
>>
>>>   In this scenario, the NAT code in the Linux kernel will attempt to
>>> use port 5060 on the external interface of the AstLinux machine.  It
>>> does this for three reasons:
>>>
>>> 1)  5060 is above 1023
>>> 2)  It defaults to using the same port that is used on the internal
>>> side (if possible)
>>> 3)  It doesn't know that there is something listening on that port
>>> locally.
>>
>> Kristian,
>>
>> I don't understand your #3.
>> If you want your asterisk box to 'listen' on 5060, you have to port
>> forward 5060 to your asterisk box (192.168.1.10)
>>
>> using "ipnat" on FreeBSD
>> rdr sis1 0/0 port 5060 -> 192.168.1.10 port 5060 udp
>>
>> This would make port 5060 on the WAN interface unavailable, when a
>> SIP phone registered out the WAN, correct?
>>
>> I instincts say your suggested changes are unnecessary,
>>
>> but then again, I use m0n0wall. <smile>
>>
>> Lonnie
>>
>
> Lonnie,
>
>   I think it is possible that you are misunderstanding me.
>
>   Basically, if you use AstLinux in router mode and register a
> DIFFERENT SIP device behind it (nothing to do with Asterisk at all),
> you will block access to port 5060 because the Linux kernel will (by
> default) PAT using the same external port number as the device.
>
>   Not only is m0n0 FreeBSD based (I don't know what the PAT specifics
> are there), it doesn't run Asterisk so it doesn't have this problem.
>
> --=20
> Kristian Kielhofner
>
> ----------------------------------------------------------------------=20=

> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to =20
> share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?=20
> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to =20=

> pa...@kr....
>