Indeed,
It should be posted somewhere in big and in bold: if you're using a SIP
device within your private network, and you have its NAT capabilities
turned-on, make sure to disable the SIP-NAT capabilities on the firewall.
It's a common problem with a lot of firewall products out there that do SIP
rewriting in order to make the protocol 'nat friendly'.
Depending on the implementation used with iptables (ip_conntrack_sip), it
may be better to use the onboard nat features of your SIP ATA/phone because
features like SIP REINVITE (peer-to-peer streaming), don't always work quite
well with firewall-based implementations and you may encounter situations
where the caller hears you, but you don't hear him, or vice-versa.
Kris
On 11/10/07, Kenneth Burgener <[EMAIL PROTECTED]> wrote:
>
> Problem fixed, see below...
>
> Brian Camp wrote:
> > On Oct 31, 2007, at 3:27 PM, Tom Eastep wrote:
> >
> >> On the flip side, note that we've seen cases where loading
> >> ip_conntrack_sip has actually _broken_ working SIP installations.
> >
> > That reminds me..
> >
> > To work around the ip_nat_sip problem, I first appended 'rmmod ip_nat
> > sip &> /dev/null' to our start file. It was a great solution, or so I
> > thought, because it didn't require modification of anything outside
> > of /etc/shorewall and survived shorewall upgrades performed via yum
> > update.
>
>
>
> I just wanted to let those that have been following this issue, or come
> across this problem in the future, know that this solution fixed the
> problem. I am now able to make inbound and outbound calls.
>
> It looks like the good people at Broadvoice setup the Sipura device to
> work around NAT, and shorewall (sip connection tracking to be specific),
> trying to be helpful, worked against this.
>
> All I did to solve this problem is add the following lines to my
> /etc/shorewall/start file:
>
> rmmod ip_nat_sip &> /dev/null
> rmmod ip_conntrack_sip &> /dev/null
>
> I did no port forwarding, or any other fancy stuff.
>
>
> Thanks everyone,
> Kenneth
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
