[Serusers] SER in iptables NAT box

Lasse Jansson lasse at solstiernan.nu
Sat Feb 7 16:05:02 CET 2004

Quite a few people have a hard time in finding working solutions for SIP in 
NAT environments.

I have successfully tried a setup where SER resides in an iptables NAT box. In 
this case, the tricky part is the iptables config (since no netfilter SIP ALG 
exists yet), so I thought I'd share a working iptables config wrt SER and UAs 
behind the NAT.

As far as I have seen both SER and the UAs work fine with this setup.


- You have an iptables NAT box with one public IP address and a privately 
addressed LAN inside
- SER resides in the NAT box
- You use UAs where it is possible for you to select what ports to use for SIP 
and media (.e.g. KPhone or X-Lite)
- The UAs use STUN or some other means that results in having the public IP 
address in SDP
- THE UAs use UDP for SIP and media
- SER is reachable via both UDP and TCP from the Internet and the LAN

- All chains have a default policy = DENY to start with
- The machines on the internal LAN have unresticted access to the NAT box 
through appropriate rules
- You have configured appropriate spoofing filters
- You are not worried about having permanent openings through the NAT to your 
LAN machines

#  Variables - may provide rule statements which are more easy to read, but 
aren't necessary

EXTERNAL_INTERFACE=<insert the device name of your Internet i/f here>
# example EXTERNAL_INTERFACE="eth0"

IPADDR=<insert your public IP here, or the command you use to dig it out>
# pseudo example: IPADDR="a.b.c.d."

SIP_UA_HOST_1=<insert the private IP of the relevant host on your private LAN>
# example SIP_UA_HOST_1=""

SIP_PORT_1=<insert the desired SIP port for SIP_UA_HOST_1 here. NOT port 5060 
which is used by SER>
# example SIP_PORT_1="5062"

M_PORT_1=<insert the desired media port for SIP_UA_HOST_1 here>
# example M_PORT_1="37000"

# Ports above the well known ports (see www.iana.org/assignments/port-numbers)


iptables -A INPUT  -i $EXTERNAL_INTERFACE -p udp  \
-d $IPADDR --destination-port 5060 -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp  \
-s $IPADDR --source-port 5060 -j ACCEPT

iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp  \
-d $IPADDR --destination-port 5060 -j ACCEPT

iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \
 -s $IPADDR --source-port 5060 -j ACCEPT

# SIP_UA_HOST_1, repeat with appropriate replacements of hosts and port 
numbers for each host on private LAN

# ------------ Part 1: Provides forwarding of media to SIP_UA_HOST_1 from both 
Internet and LAN UAs

iptables -A PREROUTING -t nat -p udp --source-port $UNPRIVPORTS \
-d $IPADDR --destination-port $M_PORT_1 -j DNAT --to $SIP_UA_HOST_1

iptables -A FORWARD -p udp -d $SIP_UA_HOST_1 --destination-port $M_PORT_1 \

# ------------ Part 2

# a): Prerequisite for correct forwarding of SIP messages to SIP_UA_HOST_1 
from both Internet and LAN UAs

iptables -A PREROUTING -t nat -p udp -d $IPADDR --destination-port \

# b): Prerequisite for correct forwarding of SIP messages to SIP_UA_HOST_1 
from SER (e.g. an INVITE)

iptables -A OUTPUT -t nat -p udp -s $IPADDR --source-port 5060 \
-d $IPADDR --destination-port $SIP_PORT_1 -j DNAT --to $SIP_UA_HOST_1

# c): Allows the actual packet forwarding of SIP messages to SIP_UA_HOST_1

iptables -A FORWARD -p udp -d $SIP_UA_HOST_1 --destination-port $SIP_PORT_1 \



1. The netfilter/iptables project homepage, see http://www.netfilter.org/

2. OpenNA Inc. provides useful books on building and configuring Linux hosts, 
including iptables.
see e.g. http://www.openna.com/products/books/sol/solus.php

More information about the sr-users mailing list