[Serusers] SER and rtpproxy in a DMZ

Thu Sep 15 20:09:03 CEST 2005

Hello,

my name is Holger Moskopp and i'm Student at the FH Cologne.
At the moment i'm working on my Thesis.

I have to build a Firewall with DMZ and a SIP Expressrouter with RTPPROXY.
This should look like this:

--------------------------------------------------------
http://www.ganeymed.de/pixx/fw_ids/ser1.jpg
--------------------------------------------------------

I'm in a Subnet of the FH and got on the

I' in a Subnetz of the school and have installed on the computer xxx.22 
fwclient a
SER Registrar with RTPproxy and a Kphone softphone. On the internal SER 
there
is a Kphone registered. (holleinnen). In the DMZ is a SER with rtpproxy.
In the FH-Net there is a SER with Radius authentification and two 
softphones.

Phil at xxx.73 <mailto:Phil at xxx.73> is registerd at that SER. holleaussen 
is registerd on another
registrar that is not on the picture.

If I want to call from holleinnen to phil, everything functions 
marvelously. The SIP
signaling and the RTP-Traffic runs throuhg the DMZ.

--------------------------------------------------------
http://www.ganeymed.de/pixx/fw_ids/ser2.jpg
--------------------------------------------------------

Now to the problem: If I start a call from holleaussen to holleinnen the 
SIP phase ,
works perfectly thruh the DMZ. It rings inside and I can assume. After 
that nothing more happens.
With tetereal and etheral I saw that the RTP traffic „wants“ to take the 
way directly from end to end.

--------------------------------------------------------
http://www.ganeymed.de/pixx/fw_ids/ser4.jpg
--------------------------------------------------------

Do you have an idea what is going wrong?
I attached the two ser.cfg files because i think
it is a mistake there. I tryed to fix that since 3 days

now - but with no success.

--------------------------------------------------------------
http://www.ganeymed.de/pixx/fw_ids/ser-dmz.txt

http://www.ganeymed.de/pixx/fw_ids/ser-innen.txt
---------------------------------------------------------------

Here is the relevant Firewallpart:

$IPTABLES -N SIPLOG

$IPTABLES -I FORWARD -p udp -i $DMZ_ETH --sport 1024:65535 -o 
$EXTERN_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED 
-j SIPLOG
$IPTABLES -I FORWARD -p udp -i $EXTERN_ETH --sport 1024:65535 -o 
$DMZ_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j 
SIPLOG
$IPTABLES -I FORWARD -p udp -i $INTERN_ETH --sport 1024:65535 -o 
$DMZ_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j 
SIPLOG
$IPTABLES -I FORWARD -p udp -i $DMZ_ETH --sport 1024:65535 -o 
$INTERN_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED 
-j SIPLOG

$IPTABLES -I SIPLOG -j LOG --log-prefix "SIPLOG: "
$IPTABLES -A SIPLOG -j ACCEPT

$IPTABLES -t nat -I PREROUTING -p udp -i $EXTERN_ETH --dport 5060:5062 
-j DNAT --to $prox

/(That changing only send the packets to prox but prox don#t take them:
$IPTABLES -t nat -I PREROUTING -p udp -i $EXTERN_ETH --dport 1024:65535/ 
/-j DNAT --to prox)
/
I think a soulution could be to use the statefull iptabels filtering, 
but I don't like that solution.

Thank you and best regards
Holger Moskopp