[asterisk-users] SIP AND NAT

John A. Sullivan III jsullivan at opensourcedevel.com
Mon Aug 3 12:35:32 CDT 2009 

On Mon, 2009-08-03 at 13:29 -0400, Ketema Harris wrote:
> I recently did a set up where I replaced a simple D-link home router  
> that was having trouble processing a T1's worth of bandwidth with a  
> linux machine running iptables.  the kernel was 2.6.29-r5 and I chose  
> the SIP connection tracking modules from the menuconfig.
> 
> Router worked fine for normal traffic, but I was unable to get the SIP  
> phones to work.  Using ngrep it was plain to see that the although the  
> packets going out were reaching their destination the data inside the  
> sip headers all contained non routable IPs.  I used lsmod and saw that  
> the following modules:
> 
> nf_nat_sip              5084  0
> nf_nat                 16400  3 nf_nat_sip,ipt_MASQUERADE,iptable_nat
> nf_conntrack_ipv4      11912  3 iptable_nat,nf_nat
> nf_defrag_ipv4          1788  1 nf_conntrack_ipv4
> 
> were loaded.  I also googled and found the http://www.iptel.org/ 
> sipalg/ website, but since this seemed to be a little dated I assumed  
> the modules contained in the kernel source tree were newer and more  
> "reliable"
> 
> my questions are: What is the correct way(or resource to find a way)  
> to get a linux firewall to work with SIP so that the NAT issue is not  
> an issue ?
<snip>
Not an area of great expertise for me.  I would think nf_nat_sip would
take care of it but I'm surprised to not see conntrack_sip.

Here is what is running on our firewall (not that we do a lot with NAT'd
sip but the little we've done seems to work):

[root at fw01 ~]# lsmod | grep sip
ip_nat_sip             37313  0
ip_conntrack_sip       41745  1 ip_nat_sip
ip_nat                 52845  5
ip_nat_h323,ip_nat_irc,ip_nat_ftp,ip_nat_sip,iptable_nat
ip_conntrack           91237  13
ip_nat_h323,ip_nat_irc,ip_nat_ftp,ip_nat_sip,ip_conntrack_tftp,ip_conntrack_irc,ip_conntrack_h323,ip_conntrack_ftp,ip_conntrack_sip,ip_conntrack_netbios_ns,xt_state,iptable_nat,ip_nat

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

More information about the asterisk-users mailing list