Re: [Astlinux-users] RFC: IMPORTANT astfw changes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Kristian,

I will be quiet now, I looked at your "astfw" code... too much to get =20=

my brain around on this Monday.

In my thinking I was 'assuming' that asterisk was sitting behind the =20
same NAT as would any LAN IP's, when a WAN interface is specified =20
(non-PBX only mode).  This is where I got confused.

I have to trust Kristian on this one.

Sorry for all the comments...

Lonnie

On Mar 5, 2007, at 1:55 PM, Kristian Kielhofner wrote:

> On 3/5/07, Lonnie Abelbeck <li...@lo...> wrote:
>> Kristian,
>>
>> I think I understand you, maybe I am wrong? <smile>
>>
>> But, I will try one more time.
>>
>> I'm no iptables guru, but this might be what I am suggesting:
>> iptables -t nat -A PREROUTING -i sis1 -p udp =96dport 5060 -j DNAT =
=96to
>> 192.168.1.10:5060
>>
>> This puts an inbound, external udp/5060 rule in the NAT table
>> pointing to your asterisk box.  If a different SIP device now tries
>> to register out, it will not be given the external/public of 5060
>> since it is reserved by the NAT rule above.  correct?
>>
>> Of course, if you want to receive inbound SIP to asterisk, you would
>> also have to add something like:
>> iptables -A FORWARD --destination 192.168.1.10 -p udp --dport 5060 -j
>> ACCEPT
>>
>> Is this clear?
>>
>> Lonnie
>>
>
> Lonnie,
>
>   I started on FreeBSD/OpenBSD and I understand ipfw/pf rules quite
> well.  I appreciate the   translation to iptables for the other
> readers :).
>
>   We are talking about two different things.  You want to put an
> Asterisk box behind another Linux/iptables router (that isn't running
> Asterisk) and translate traffic on the Linux/iptables box.
>
>   I want to put a SIP device behind a Linux/iptables router that is
> running Asterisk.
>
>   This causes a problem.
>
>   The iptables MASQUERADE & SNAT (not DNAT) iptables code (by default)
> will assign port 5060 on the external interface as the port to be used
> for PAT with the SIP device BEHIND the Linux router.  This will make
> port 5060 on the Linux/iptables/Asterisk box to be inaccessible via
> SIP because incoming traffic to the external interface on port 5060
> will be translated and routed to the SIP device behind nat because of
> the iptables MASQ state.
>
>   Using --to-ports forces the MASQ/SNAT code to only use ports in the
> defined range - not the port used by the device inside the NAT.
>
>   Is this making sense to anyone else?  If so, can you explain it
> better than I can :)?
>
> --=20
> Kristian Kielhofner
>
> ----------------------------------------------------------------------=20=

> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to =20
> share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?=20
> page=3Djoin.php&p=3Dsourceforge&CID=3DDEVDEV
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to =20=

> pa...@kr....
>