Re: [Astlinux-users] RFC: IMPORTANT astfw changes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

It makes sense to me, but nonetheless here's my translation/simplification.

If a router is running Asterisk, with SIP enabled, then port 5060 (and 
whatever RTP range is defined) are claimed by Asterisk. Generally, this 
does not present a problem, except until you have to try and NAT another 
SIP device behind it. In order for the SIP device to communicate to the 
outside (technically, for the outside to talk to it), there must be a 
port forward in place on the router. This is where the conflict occurs.
When the SIP device connects to its outside host, its' identified as 
being at 123.45.67.8:5060 (source address), however 123.45.67.8 is the 
IP of the Astlinux router and port 5060 is the port Asterisk is already 
listening on. When the remote service tries to call the SIP device, it 
actually connects to Asterisk and the call won't go through.
As for the "fix" with MASQPORTS, you're only forwarding the RTP data so 
audio will go through without a hitch, however this does not solve the 
conflicting claims for port 5060.
Simplest fix is to set your SIP phone, or Asterisk, to use a different 
port for SIP than 5060 (I think 5082 is another common choice).

Regards,
Bryce Chidester
Rhino Equipment Corp.
br...@rh...
Tel: +1 (480) 940-1826 x6351
Fax: +1 (480) 961-1826
FWD: 633686 x6351
IP: asterisk.rhinoequipment.com x6351

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  PROPRIETARY MATERIAL and is thus for use only by the intended  recipient. If you received this in error, please contact the sender  and delete the email and its attachments from all computers.

Kristian Kielhofner wrote:
> On 3/5/07, Lonnie Abelbeck <li...@lo...> wrote:
>   
>> Kristian,
>>
>> I think I understand you, maybe I am wrong? <smile>
>>
>> But, I will try one more time.
>>
>> I'm no iptables guru, but this might be what I am suggesting:
>> iptables -t nat -A PREROUTING -i sis1 -p udp –dport 5060 -j DNAT –to
>> 192.168.1.10:5060
>>
>> This puts an inbound, external udp/5060 rule in the NAT table
>> pointing to your asterisk box.  If a different SIP device now tries
>> to register out, it will not be given the external/public of 5060
>> since it is reserved by the NAT rule above.  correct?
>>
>> Of course, if you want to receive inbound SIP to asterisk, you would
>> also have to add something like:
>> iptables -A FORWARD --destination 192.168.1.10 -p udp --dport 5060 -j
>> ACCEPT
>>
>> Is this clear?
>>
>> Lonnie
>>
>>     
>
> Lonnie,
>
>   I started on FreeBSD/OpenBSD and I understand ipfw/pf rules quite
> well.  I appreciate the   translation to iptables for the other
> readers :).
>
>   We are talking about two different things.  You want to put an
> Asterisk box behind another Linux/iptables router (that isn't running
> Asterisk) and translate traffic on the Linux/iptables box.
>
>   I want to put a SIP device behind a Linux/iptables router that is
> running Asterisk.
>
>   This causes a problem.
>
>   The iptables MASQUERADE & SNAT (not DNAT) iptables code (by default)
> will assign port 5060 on the external interface as the port to be used
> for PAT with the SIP device BEHIND the Linux router.  This will make
> port 5060 on the Linux/iptables/Asterisk box to be inaccessible via
> SIP because incoming traffic to the external interface on port 5060
> will be translated and routed to the SIP device behind nat because of
> the iptables MASQ state.
>
>   Using --to-ports forces the MASQ/SNAT code to only use ports in the
> defined range - not the port used by the device inside the NAT.
>
>   Is this making sense to anyone else?  If so, can you explain it
> better than I can :)?
>
>   