[Asterisk-Users] Sipura SPA2000 behind NAT
Thierry Wehr
wehr at japet.com
Sat Jul 2 15:49:58 MST 2005
Hello
This iptables setup won't work
You need specific rules for the incoming UDP packets with status ESTABLISHED
and RELATED like these simple ones
Remember it's a statefull firewall.
In the nat section
-A POSTROUTING -p udp -m udp -m state --state RELATED -j MASQUERADE
-A POSTROUTING -p udp -m udp -m state --state ESTABLISHED -j MASQUERADE
And in the filter section
-A FORWARD -p udp -m udp -m state --state RELATED -j ACCEPT
-A FORWARD -p udp -m udp -m state --state ESTABLISHED -j ACCEPT
Best regards
Thierry
> -----Message d'origine-----
> De : asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] De la part
> de Guillermo Salas M
> Envoyé : samedi 2 juillet 2005 22:56
> À : asterisk-users at lists.digium.com
> Objet : RE: [Asterisk-Users] Sipura SPA2000 behind NAT
>
> Carlos,
>
> Thank you for your fast response :) , this is the output of
> iptables -nL on my linux box:
>
> root at razametal:/home/guillermo # iptables -nL Chain INPUT
> (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 192.168.0.0/24
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> root at razametal:/home/guillermo # iptables -nL -t nat Chain
> PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
> This is my very-small and simple firewall script:
> root at razametal:/home/guillermo # cat /etc/init.d/firewall #
> Cargar Modulos modprobe ip_tables modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp modprobe ip_nat_irc modprobe
> ip_conntrack_irc
>
> # Habilitar el forward
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Flush
> iptables -X
> iptables -F
> iptables -X -t nat
> iptables -F -t nat
>
> # Habilitar nat para 192.168.0.0/24
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j
> MASQUERADE # Permitir el forward para 192.168.0.0/24 iptables
> -A FORWARD -s 192.168.0.0/24 -j ACCEPT iptables -A FORWARD -d
> 192.168.0.0/24 -j ACCEPT
>
> # EOF
>
>
> On Sat, 2005-07-02 at 16:39 -0400, Carlos Alperin wrote:
> > Guillermo,
> >
> > This is an issue with your router. Do you have open the
> ports 5060 for SIP?
> > Also, RTP needs to be open from 16384 to 32767.
> >
> > Saludos,
> >
> > Carlos Alperin
> > Senior System Engineer
> > Seneca Communications, LLC
> > calperin at senecacom.net
> >
> >
> > -----Original Message-----
> > From: asterisk-users-bounces at lists.digium.com
> > [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of
> > Guillermo Salas M
> > Sent: Saturday, July 02, 2005 4:13 PM
> > To: Asterisk Users Mailing List - Non-Commercial Discussion
> > Subject: [Asterisk-Users] Sipura SPA2000 behind NAT
> >
> > Hi, I've one Sipura SPA2000 at home behind a linuxbox with
> two network
> > adapters (eth0 for WAN and eth1 for LAN) doing NAT/DHCP:
> >
> >
> > ___________ HOME _______________ ____OFFICE ____
> > SPA2000 <---> Linux Box <--> Asterisk Box
> > 192.168.0.253 192.168.0.1 eth1 200.93.xxx.a
> > 200.93.xxx.b eth0
> >
> > My problem is when I try to call to any trunk or extention
> I can the
> > audio when the destination is ringing, but I can hear the
> voice of the
> > person when it reponds. The person in the other side can
> hear me, but
> > I can not hear anything from him. I can not hear the voice
> prompts for
> > the voicemail (*98) or the operator voice, but can leave voice
> > messages to other SIP devices and they can hear my messages.
> >
> > This is my sip.conf
> > [105]
> > username=105
> > type=friend
> > secret=105
> > qualify=no
> > port=5060
> > nat=yes
> > mailbox=105 at default
> > host=dynamic
> > dtmfmode=rfc2833
> > context=from-internal
> > canreinvite=no
> > callerid="Guilllermo Salas HOME" <105>
> >
> > My ext on line 1 of the Sipura is 105, and is registred
> with the * box:
> > -- Registered SIP '105' at 200.93.220.27 port 5060 expires 3600
> >
> > asterisk*CLI> sip show peer 105
> > asterisk*CLI>
> >
> > * Name : 105
> > Secret : <Set>
> > MD5Secret : <Not set>
> > Context : from-internal
> > Language : es
> > FromUser :
> > FromDomain :
> > Callgroup : (0)
> > Pickupgroup : (0)
> > Mailbox : 105 at default
> > LastMsgsSent : 2
> > Dynamic : Yes
> > Expire : 4
> > Expiry : 900
> > Insecure : No
> > Nat : Always
> > ACL : No
> > CanReinvite : No
> > PromiscRedir : No
> > DTMFmode : rfc2833
> > LastMsg : 0
> > ToHost :
> > Addr->IP : 200.93.xxx.xb Port 5060
> > Defaddr->IP : 0.0.0.0 Port 5060
> > Username : 105
> > Codecs : 0xc011f (g723|gsm|ulaw|alaw|g726|g729|h261|h263)
> > Codec Order : (g729|g723|gsm|g726|ulaw|alaw|h261|h263)
> > Status : UNKNOWN
> > Useragent :
> > Full Contact : sip:105 at 192.168.0.253:5060
> >
> > And this is the output of sip debug peer 105 when I call to
> *98 (for
> > voice messages):
> >
> > asterisk*CLI> sip debug peer 105
> > SIP Debugging Enabled for IP: 200.93.xxx.xb:5060
> >
> > Sip read:
> > NOTIFY sip:sip.mydomain.net SIP/2.0
> > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-67ea7370
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:sip.mydomain.net>
> > Call-ID: a584ba93-53c0013c at 192.168.0.253
> > CSeq: 4 NOTIFY
> > Max-Forwards: 70
> > Event: keep-alive
> > User-Agent: Sipura/SPA2000-2.0.2
> > Content-Length: 0
> >
> >
> > 10 headers, 0 lines
> > Transmitting (no NAT):
> > SIP/2.0 200 OK
> > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-67ea7370
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:sip.mydomain.net>;tag=as038653dd
> > Call-ID: a584ba93-53c0013c at 192.168.0.253
> > CSeq: 4 NOTIFY
> > User-Agent: Asterisk PBX
> > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> > Contact:
> > Content-Length: 0
> >
> >
> > to 200.93.xxx.xb:5060
> > Destroying call 'a584ba93-53c0013c at 192.168.0.253'
> >
> > asterisk*CLI>
> >
> > Sip read:
> > NOTIFY sip:sip.mydomain.net SIP/2.0
> > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-d386a279
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:sip.mydomain.net>
> > Call-ID: a584ba93-53c0013c at 192.168.0.253
> > CSeq: 6 NOTIFY
> > Max-Forwards: 70
> > Event: keep-alive
> > User-Agent: Sipura/SPA2000-2.0.2
> > Content-Length: 0
> >
> >
> > 10 headers, 0 lines
> > Transmitting (no NAT):
> > SIP/2.0 200 OK
> > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-d386a279
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:sip.mydomain.net>;tag=as5099fa8f
> > Call-ID: a584ba93-53c0013c at 192.168.0.253
> > CSeq: 6 NOTIFY
> > User-Agent: Asterisk PBX
> > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> > Contact:
> > Content-Length: 0
> >
> >
> > to 200.93.xxx.xb:5060
> > Destroying call 'a584ba93-53c0013c at 192.168.0.253'
> > asterisk*CLI>
> >
> >
> > I dial *98 to get into the voice message system:
> >
> > asterisk*CLI>
> >
> > Sip read:
> > ACK sip:*98 at sip.mydomain.net SIP/2.0
> > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-600583f3
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:*98 at sip.mydomain.net>;tag=as65eec750
> > Call-ID: 636a9064-eba36dcb at 192.168.0.253
> > CSeq: 101 ACK
> > Max-Forwards: 70
> > Contact: Guillermo Salas M <sip:105 at 192.168.0.253>
> > User-Agent: Sipura/SPA2000-2.0.2
> > Content-Length: 0
> >
> >
> > 10 headers, 0 lines
> > asterisk*CLI>
> >
> > Sip read:
> > INVITE sip:*98 at sip.mydomain.net SIP/2.0
> > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-ec22067b
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:*98 at sip.mydomain.net>
> > Call-ID: 636a9064-eba36dcb at 192.168.0.253
> > CSeq: 102 INVITE
> > Max-Forwards: 70
> > Proxy-Authorization: Digest
> >
> username="105",realm="asterisk",nonce="47a68adb",uri="sip:*98 at sip.mydo
> > main.n et",algorithm=MD5,response="8e60f592df094f9b852a59544b9da384"
> > Contact: Guillermo Salas M <sip:105 at 192.168.0.253>
> > Expires: 240
> > User-Agent: Sipura/SPA2000-2.0.2
> > Content-Length: 422
> > Content-Type: application/sdp
> >
> > v=0
> > o=- 12384 12384 IN IP4 192.168.0.253
> > s=-
> > c=IN IP4 192.168.0.253
> > t=0 0
> > m=audio 16468 RTP/AVP 4 0 2 8 18 96 97 98 100 101
> > a=rtpmap:4 G723/8000
> > a=rtpmap:0 PCMU/8000
> > a=rtpmap:2 G726-32/8000
> > a=rtpmap:8 PCMA/8000
> > a=rtpmap:18 G729a/8000
> > a=rtpmap:96 G726-40/8000
> > a=rtpmap:97 G726-24/8000
> > a=rtpmap:98 G726-16/8000
> > a=rtpmap:100 NSE/8000
> > a=rtpmap:101 telephone-event/8000
> > a=fmtp:101 0-15
> > a=ptime:30
> > a=sendrecv
> >
> > 13 headers, 19 lines
> > Using latest request as basis request
> > Sending to 192.168.0.253 : 5060 (NAT)
> > Found user '105'
> > Found RTP audio format 4
> > Found RTP audio format 0
> > Found RTP audio format 2
> > Found RTP audio format 8
> > Found RTP audio format 18
> > Found RTP audio format 96
> > Found RTP audio format 97
> > Found RTP audio format 98
> > Found RTP audio format 100
> > Found RTP audio format 101
> > Peer audio RTP is at port 192.168.0.253:16468 Found
> description format
> > G723 Found description format PCMU Found description format G726-32
> > Found description format PCMA Found description format G729a Found
> > description format G726-40 Found description format G726-24 Found
> > description format G726-16 Found description format NSE Found
> > description format telephone-event
> > Capabilities: us - 0xc011f (g723|gsm|ulaw|alaw|g726|g729|h261|h263),
> > peer - audio=0x51d (g723|ulaw|alaw|g726|g729|ilbc)/video=0x0
> > (nothing), combined - 0x11d (g723|ulaw|alaw|g726|g729) Non-codec
> > capabilities: us - 0x1 (g723), peer - 0x1 (g723), combined -
> > 0x1 (g723)
> > Looking for *98 in from-internal
> > list_route: hop: <sip:105 at 192.168.0.253> Transmitting (NAT):
> > SIP/2.0 100 Trying
> > Via: SIP/2.0/UDP
> >
> 192.168.0.253;branch=z9hG4bK-ec22067b;received=200.93.xxx.xb;rport=506
> > 0
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:*98 at sip.mydomain.net>;tag=as58095e00
> > Call-ID: 636a9064-eba36dcb at 192.168.0.253
> > CSeq: 102 INVITE
> > User-Agent: Asterisk PBX
> > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> > Contact: <sip:*98 at 200.93.xxx.xa>
> > Content-Length: 0
> >
> >
> > to 200.93.xxx.xb:5060
> > -- Executing Answer("SIP/105-6408", "") in new stack We're at
> > 200.93.xxx.xa port 12436 Video is at 200.93.xxx.xa port 16274
> > Answering with preferred capability 0x100 (g729) Answering with
> > preferred capability 0x1 (g723) Answering with preferred capability
> > 0x2 (gsm) Answering with preferred capability 0x10 (g726) Answering
> > with preferred capability 0x4 (ulaw) Answering with preferred
> > capability 0x8 (alaw) Answering with preferred capability 0x40000
> > (h261) Answering with preferred capability 0x80000 (h263) Answering
> > with non-codec capability 0x1 (telephone-event) Reliably
> Transmitting
> > (NAT):
> > SIP/2.0 200 OK
> > Via: SIP/2.0/UDP
> >
> 192.168.0.253;branch=z9hG4bK-ec22067b;received=200.93.xxx.xb;rport=506
> > 0
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:*98 at sip.mydomain.net>;tag=as58095e00
> > Call-ID: 636a9064-eba36dcb at 192.168.0.253
> > CSeq: 102 INVITE
> > User-Agent: Asterisk PBX
> > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> > Contact: <sip:*98 at 200.93.xxx.xa>
> > Content-Type: application/sdp
> > Content-Length: 340
> >
> > v=0
> > =root 7393 7393 IN IP4 200.93.xxx.xa
> > s=session
> > c=IN IP4 200.93.xxx.xa
> > t=0 0
> > m=audio 12436 RTP/AVP 18 4 3 2 0 8 101
> > a=rtpmap:18 G729/8000
> > a=rtpmap:4 G723/8000
> > a=rtpmap:3 GSM/8000
> > a=rtpmap:2 G726-32/8000
> > a=rtpmap:0 PCMU/8000
> > a=rtpmap:8 PCMA/8000
> > a=rtpmap:101 telephone-event/8000
> > a=fmtp:101 0-16
> > a=silenceSupp:off - - - -
> >
> > to 200.93.xxx.xb:5060
> > -- Executing Wait("SIP/105-6408", "1") in new stack
> asterisk*CLI>
> >
> > Sip read:
> > ACK sip:*98 at 200.93.xxx.xa SIP/2.0
> > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-ec22067b
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:*98 at sip.mydomain.net>;tag=as58095e00
> > Call-ID: 636a9064-eba36dcb at 192.168.0.253
> > CSeq: 102 ACK
> > Max-Forwards: 70
> > Proxy-Authorization: Digest
> >
> username="105",realm="asterisk",nonce="47a68adb",uri="sip:*98 at sip.mydo
> > main.n et",algorithm=MD5,response="74dd50faa2bb97fdb1a0fe6ce93489de"
> > Contact: Guillermo Salas M <sip:105 at 192.168.0.253>
> > User-Agent: Sipura/SPA2000-2.0.2
> > Content-Length: 0
> >
> >
> > 11 headers, 0 lines
> > -- Executing VoiceMailMain("SIP/105-6408", "default")
> in new stack
> > -- Playing 'vm-login' (language 'es') asterisk*CLI>
> >
> > Sip read:
> > NOTIFY sip:sip.mydomain.net SIP/2.0
> > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-8ecd1b3e
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:sip.mydomain.net>
> > Call-ID: a584ba93-53c0013c at 192.168.0.253
> > CSeq: 9 NOTIFY
> > Max-Forwards: 70
> > Event: keep-alive
> > User-Agent: Sipura/SPA2000-2.0.2
> > Content-Length: 0
> >
> > 10 headers, 0 lines
> > Transmitting (no NAT):
> > SIP/2.0 200 OK
> > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-8ecd1b3e
> > From: Guillermo Salas M
> > <sip:105 at sip.mydomain.net>;tag=4f2df183b116b70c
> > To: <sip:sip.mydomain.net>;tag=as45caf3ff
> > Call-ID: a584ba93-53c0013c at 192.168.0.253
> > CSeq: 9 NOTIFY
> > User-Agent: Asterisk PBX
> > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
> > Contact:
> > Content-Length: 0
> >
> >
> > to 200.93.xxx.xb:5060
> > Destroying call 'a584ba93-53c0013c at 192.168.0.253'
> > -- No username but # key pressed. Using CID '105'
> > -- Playing 'vm-password' (language 'es')
> > -- Incorrect password '' for user '105' (context = <any>)
> > -- Playing 'vm-incorrect-mailbox' (language 'es') asterisk*CLI>
> >
> > Any hint will be very appreciated,
> >
> >
> > Regards,
> >
> >
> > Guill3rm0
> >
> > _______________________________________________
> > Asterisk-Users mailing list
> > Asterisk-Users at lists.digium.com
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> > To UNSUBSCRIBE or update options visit:
> > http://lists.digium.com/mailman/listinfo/asterisk-users
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list