[Serusers] SER in iptables NAT box
Lasse Jansson
lasse at solstiernan.nu
Sat Feb 7 16:05:02 CET 2004
Quite a few people have a hard time in finding working solutions for SIP in
NAT environments.
I have successfully tried a setup where SER resides in an iptables NAT box. In
this case, the tricky part is the iptables config (since no netfilter SIP ALG
exists yet), so I thought I'd share a working iptables config wrt SER and UAs
behind the NAT.
As far as I have seen both SER and the UAs work fine with this setup.
/Lasse
* SCENARIO:
- You have an iptables NAT box with one public IP address and a privately
addressed LAN inside
- SER resides in the NAT box
- You use UAs where it is possible for you to select what ports to use for SIP
and media (.e.g. KPhone or X-Lite)
- The UAs use STUN or some other means that results in having the public IP
address in SDP
- THE UAs use UDP for SIP and media
- SER is reachable via both UDP and TCP from the Internet and the LAN
* NAT/IPTABLES ASSUMPTIONS
- All chains have a default policy = DENY to start with
- The machines on the internal LAN have unresticted access to the NAT box
through appropriate rules
- You have configured appropriate spoofing filters
- You are not worried about having permanent openings through the NAT to your
LAN machines
* IPTABLES CONFIG
# Variables - may provide rule statements which are more easy to read, but
aren't necessary
EXTERNAL_INTERFACE=<insert the device name of your Internet i/f here>
# example EXTERNAL_INTERFACE="eth0"
IPADDR=<insert your public IP here, or the command you use to dig it out>
# pseudo example: IPADDR="a.b.c.d."
SIP_UA_HOST_1=<insert the private IP of the relevant host on your private LAN>
# example SIP_UA_HOST_1="192.168.0.1"
SIP_PORT_1=<insert the desired SIP port for SIP_UA_HOST_1 here. NOT port 5060
which is used by SER>
# example SIP_PORT_1="5062"
M_PORT_1=<insert the desired media port for SIP_UA_HOST_1 here>
# example M_PORT_1="37000"
# Ports above the well known ports (see www.iana.org/assignments/port-numbers)
UNPRIVPORTS="1024:"
#
------------------------------------------------------------------------------------
# SIP SERVER PART
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR --destination-port 5060 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port 5060 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR --destination-port 5060 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port 5060 -j ACCEPT
#
------------------------------------------------------------------------------------
# SIP_UA_HOST_1, repeat with appropriate replacements of hosts and port
numbers for each host on private LAN
# ------------ Part 1: Provides forwarding of media to SIP_UA_HOST_1 from both
Internet and LAN UAs
iptables -A PREROUTING -t nat -p udp --source-port $UNPRIVPORTS \
-d $IPADDR --destination-port $M_PORT_1 -j DNAT --to $SIP_UA_HOST_1
iptables -A FORWARD -p udp -d $SIP_UA_HOST_1 --destination-port $M_PORT_1 \
-j ACCEPT
# ------------ Part 2
# a): Prerequisite for correct forwarding of SIP messages to SIP_UA_HOST_1
from both Internet and LAN UAs
iptables -A PREROUTING -t nat -p udp -d $IPADDR --destination-port \
$SIP_PORT_1 -j DNAT --to $SIP_UA_HOST_1
# b): Prerequisite for correct forwarding of SIP messages to SIP_UA_HOST_1
from SER (e.g. an INVITE)
iptables -A OUTPUT -t nat -p udp -s $IPADDR --source-port 5060 \
-d $IPADDR --destination-port $SIP_PORT_1 -j DNAT --to $SIP_UA_HOST_1
# c): Allows the actual packet forwarding of SIP messages to SIP_UA_HOST_1
iptables -A FORWARD -p udp -d $SIP_UA_HOST_1 --destination-port $SIP_PORT_1 \
-j ACCEPT
#
------------------------------------------------------------------------------------
* REFERENCES
1. The netfilter/iptables project homepage, see http://www.netfilter.org/
2. OpenNA Inc. provides useful books on building and configuring Linux hosts,
including iptables.
see e.g. http://www.openna.com/products/books/sol/solus.php
More information about the sr-users
mailing list