Menu
▾
▴
Re: [Astlinux-users] RFC: IMPORTANT astfw changes
|
From: Kristian K. <kri...@gm...> - 2007-03-05 19:55:35
|
On 3/5/07, Lonnie Abelbeck <li...@lo...> wrote: > Kristian, > > I think I understand you, maybe I am wrong? <smile> > > But, I will try one more time. > > I'm no iptables guru, but this might be what I am suggesting: > iptables -t nat -A PREROUTING -i sis1 -p udp =96dport 5060 -j DNAT =96to > 192.168.1.10:5060 > > This puts an inbound, external udp/5060 rule in the NAT table > pointing to your asterisk box. If a different SIP device now tries > to register out, it will not be given the external/public of 5060 > since it is reserved by the NAT rule above. correct? > > Of course, if you want to receive inbound SIP to asterisk, you would > also have to add something like: > iptables -A FORWARD --destination 192.168.1.10 -p udp --dport 5060 -j > ACCEPT > > Is this clear? > > Lonnie > Lonnie, I started on FreeBSD/OpenBSD and I understand ipfw/pf rules quite well. I appreciate the translation to iptables for the other readers :). We are talking about two different things. You want to put an Asterisk box behind another Linux/iptables router (that isn't running Asterisk) and translate traffic on the Linux/iptables box. I want to put a SIP device behind a Linux/iptables router that is running Asterisk. This causes a problem. The iptables MASQUERADE & SNAT (not DNAT) iptables code (by default) will assign port 5060 on the external interface as the port to be used for PAT with the SIP device BEHIND the Linux router. This will make port 5060 on the Linux/iptables/Asterisk box to be inaccessible via SIP because incoming traffic to the external interface on port 5060 will be translated and routed to the SIP device behind nat because of the iptables MASQ state. Using --to-ports forces the MASQ/SNAT code to only use ports in the defined range - not the port used by the device inside the NAT. Is this making sense to anyone else? If so, can you explain it better than I can :)? --=20 Kristian Kielhofner |
