Re: [Astlinux-users] RFC: IMPORTANT astfw changes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Bryce,

> When the SIP device connects to its outside host, its' identified =20
> as being at 123.45.67.8:5060 (source address), however 123.45.67.8 =20
> is the IP of the Astlinux router and port 5060 is the port Asterisk =20=

> is already listening on.

Isn't iptables smart enough to realize that the udp/external 5060 nat =20=

table is in use,  and automatically assign a different external port =20
of the 2'nd SIP device?

Lonnie

On Mar 5, 2007, at 2:27 PM, Bryce Chidester wrote:

> It makes sense to me, but nonetheless here's my translation/=20
> simplification.
>
> If a router is running Asterisk, with SIP enabled, then port 5060 =20
> (and whatever RTP range is defined) are claimed by Asterisk. =20
> Generally, this does not present a problem, except until you have =20
> to try and NAT another SIP device behind it. In order for the SIP =20
> device to communicate to the outside (technically, for the outside =20
> to talk to it), there must be a port forward in place on the =20
> router. This is where the conflict occurs.
> When the SIP device connects to its outside host, its' identified =20
> as being at 123.45.67.8:5060 (source address), however 123.45.67.8 =20
> is the IP of the Astlinux router and port 5060 is the port Asterisk =20=

> is already listening on. When the remote service tries to call the =20
> SIP device, it actually connects to Asterisk and the call won't go =20
> through.
> As for the "fix" with MASQPORTS, you're only forwarding the RTP =20
> data so audio will go through without a hitch, however this does =20
> not solve the conflicting claims for port 5060.
> Simplest fix is to set your SIP phone, or Asterisk, to use a =20
> different port for SIP than 5060 (I think 5082 is another common =20
> choice).
> Regards,
> Bryce Chidester
> Rhino Equipment Corp.
> br...@rh...
> Tel: +1 (480) 940-1826 x6351
> Fax: +1 (480) 961-1826
> FWD: 633686 x6351
> IP: asterisk.rhinoequipment.com x6351
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE  =20
> PROPRIETARY MATERIAL and is thus for use only by the intended  =20
> recipient. If you received this in error, please contact the =20
> sender  and delete the email and its attachments from all computers.
>
>
> Kristian Kielhofner wrote:
>> On 3/5/07, Lonnie Abelbeck <li...@lo...> wrote:
>>
>>> Kristian,
>>>
>>> I think I understand you, maybe I am wrong?
>>>
>>> But, I will try one more time.
>>>
>>> I'm no iptables guru, but this might be what I am suggesting:
>>> iptables -t nat -A PREROUTING -i sis1 -p udp =96dport 5060 -j DNAT =
=96to
>>> 192.168.1.10:5060
>>>
>>> This puts an inbound, external udp/5060 rule in the NAT table
>>> pointing to your asterisk box.  If a different SIP device now tries
>>> to register out, it will not be given the external/public of 5060
>>> since it is reserved by the NAT rule above.  correct?
>>>
>>> Of course, if you want to receive inbound SIP to asterisk, you would
>>> also have to add something like:
>>> iptables -A FORWARD --destination 192.168.1.10 -p udp --dport =20
>>> 5060 -j
>>> ACCEPT
>>>
>>> Is this clear?
>>>
>>> Lonnie
>>>
>>>
>> Lonnie,
>>
>>   I started on FreeBSD/OpenBSD and I understand ipfw/pf rules quite
>> well.  I appreciate the   translation to iptables for the other
>> readers :).
>>
>>   We are talking about two different things.  You want to put an
>> Asterisk box behind another Linux/iptables router (that isn't running
>> Asterisk) and translate traffic on the Linux/iptables box.
>>
>>   I want to put a SIP device behind a Linux/iptables router that is
>> running Asterisk.
>>
>>   This causes a problem.
>>
>>   The iptables MASQUERADE & SNAT (not DNAT) iptables code (by =20
>> default)
>> will assign port 5060 on the external interface as the port to be =20
>> used
>> for PAT with the SIP device BEHIND the Linux router.  This will make
>> port 5060 on the Linux/iptables/Asterisk box to be inaccessible via
>> SIP because incoming traffic to the external interface on port 5060
>> will be translated and routed to the SIP device behind nat because of
>> the iptables MASQ state.
>>
>>   Using --to-ports forces the MASQ/SNAT code to only use ports in the
>> defined range - not the port used by the device inside the NAT.
>>
>>   Is this making sense to anyone else?  If so, can you explain it
>> better than I can :)?
>>
>>
> ----------------------------------------------------------------------=20=

> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to =20
> share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?=20
> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV____________________________=
____=20
> _______________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to =20=

> pa...@kr....