Hello This iptables setup won't work You need specific rules for the incoming UDP packets with status ESTABLISHED and RELATED like these simple ones Remember it's a statefull firewall.
In the nat section -A POSTROUTING -p udp -m udp -m state --state RELATED -j MASQUERADE -A POSTROUTING -p udp -m udp -m state --state ESTABLISHED -j MASQUERADE And in the filter section -A FORWARD -p udp -m udp -m state --state RELATED -j ACCEPT -A FORWARD -p udp -m udp -m state --state ESTABLISHED -j ACCEPT Best regards Thierry > -----Message d'origine----- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part > de Guillermo Salas M > Envoyé : samedi 2 juillet 2005 22:56 > À : [email protected] > Objet : RE: [Asterisk-Users] Sipura SPA2000 behind NAT > > Carlos, > > Thank you for your fast response :) , this is the output of > iptables -nL on my linux box: > > [EMAIL PROTECTED]:/home/guillermo # iptables -nL Chain INPUT > (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 192.168.0.0/24 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > [EMAIL PROTECTED]:/home/guillermo # iptables -nL -t nat Chain > PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE all -- 192.168.0.0/24 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > This is my very-small and simple firewall script: > [EMAIL PROTECTED]:/home/guillermo # cat /etc/init.d/firewall # > Cargar Modulos modprobe ip_tables modprobe ip_nat_ftp > modprobe ip_conntrack_ftp modprobe ip_nat_irc modprobe > ip_conntrack_irc > > # Habilitar el forward > echo 1 > /proc/sys/net/ipv4/ip_forward > > # Flush > iptables -X > iptables -F > iptables -X -t nat > iptables -F -t nat > > # Habilitar nat para 192.168.0.0/24 > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j > MASQUERADE # Permitir el forward para 192.168.0.0/24 iptables > -A FORWARD -s 192.168.0.0/24 -j ACCEPT iptables -A FORWARD -d > 192.168.0.0/24 -j ACCEPT > > # EOF > > > On Sat, 2005-07-02 at 16:39 -0400, Carlos Alperin wrote: > > Guillermo, > > > > This is an issue with your router. Do you have open the > ports 5060 for SIP? > > Also, RTP needs to be open from 16384 to 32767. > > > > Saludos, > > > > Carlos Alperin > > Senior System Engineer > > Seneca Communications, LLC > > [EMAIL PROTECTED] > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Guillermo Salas M > > Sent: Saturday, July 02, 2005 4:13 PM > > To: Asterisk Users Mailing List - Non-Commercial Discussion > > Subject: [Asterisk-Users] Sipura SPA2000 behind NAT > > > > Hi, I've one Sipura SPA2000 at home behind a linuxbox with > two network > > adapters (eth0 for WAN and eth1 for LAN) doing NAT/DHCP: > > > > > > ___________ HOME _______________ ____OFFICE ____ > > SPA2000 <---> Linux Box <--> Asterisk Box > > 192.168.0.253 192.168.0.1 eth1 200.93.xxx.a > > 200.93.xxx.b eth0 > > > > My problem is when I try to call to any trunk or extention > I can the > > audio when the destination is ringing, but I can hear the > voice of the > > person when it reponds. The person in the other side can > hear me, but > > I can not hear anything from him. I can not hear the voice > prompts for > > the voicemail (*98) or the operator voice, but can leave voice > > messages to other SIP devices and they can hear my messages. > > > > This is my sip.conf > > [105] > > username=105 > > type=friend > > secret=105 > > qualify=no > > port=5060 > > nat=yes > > [EMAIL PROTECTED] > > host=dynamic > > dtmfmode=rfc2833 > > context=from-internal > > canreinvite=no > > callerid="Guilllermo Salas HOME" <105> > > > > My ext on line 1 of the Sipura is 105, and is registred > with the * box: > > -- Registered SIP '105' at 200.93.220.27 port 5060 expires 3600 > > > > asterisk*CLI> sip show peer 105 > > asterisk*CLI> > > > > * Name : 105 > > Secret : <Set> > > MD5Secret : <Not set> > > Context : from-internal > > Language : es > > FromUser : > > FromDomain : > > Callgroup : (0) > > Pickupgroup : (0) > > Mailbox : [EMAIL PROTECTED] > > LastMsgsSent : 2 > > Dynamic : Yes > > Expire : 4 > > Expiry : 900 > > Insecure : No > > Nat : Always > > ACL : No > > CanReinvite : No > > PromiscRedir : No > > DTMFmode : rfc2833 > > LastMsg : 0 > > ToHost : > > Addr->IP : 200.93.xxx.xb Port 5060 > > Defaddr->IP : 0.0.0.0 Port 5060 > > Username : 105 > > Codecs : 0xc011f (g723|gsm|ulaw|alaw|g726|g729|h261|h263) > > Codec Order : (g729|g723|gsm|g726|ulaw|alaw|h261|h263) > > Status : UNKNOWN > > Useragent : > > Full Contact : sip:[EMAIL PROTECTED]:5060 > > > > And this is the output of sip debug peer 105 when I call to > *98 (for > > voice messages): > > > > asterisk*CLI> sip debug peer 105 > > SIP Debugging Enabled for IP: 200.93.xxx.xb:5060 > > > > Sip read: > > NOTIFY sip:sip.mydomain.net SIP/2.0 > > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-67ea7370 > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:sip.mydomain.net> > > Call-ID: [EMAIL PROTECTED] > > CSeq: 4 NOTIFY > > Max-Forwards: 70 > > Event: keep-alive > > User-Agent: Sipura/SPA2000-2.0.2 > > Content-Length: 0 > > > > > > 10 headers, 0 lines > > Transmitting (no NAT): > > SIP/2.0 200 OK > > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-67ea7370 > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:sip.mydomain.net>;tag=as038653dd > > Call-ID: [EMAIL PROTECTED] > > CSeq: 4 NOTIFY > > User-Agent: Asterisk PBX > > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER > > Contact: > > Content-Length: 0 > > > > > > to 200.93.xxx.xb:5060 > > Destroying call '[EMAIL PROTECTED]' > > > > asterisk*CLI> > > > > Sip read: > > NOTIFY sip:sip.mydomain.net SIP/2.0 > > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-d386a279 > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:sip.mydomain.net> > > Call-ID: [EMAIL PROTECTED] > > CSeq: 6 NOTIFY > > Max-Forwards: 70 > > Event: keep-alive > > User-Agent: Sipura/SPA2000-2.0.2 > > Content-Length: 0 > > > > > > 10 headers, 0 lines > > Transmitting (no NAT): > > SIP/2.0 200 OK > > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-d386a279 > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:sip.mydomain.net>;tag=as5099fa8f > > Call-ID: [EMAIL PROTECTED] > > CSeq: 6 NOTIFY > > User-Agent: Asterisk PBX > > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER > > Contact: > > Content-Length: 0 > > > > > > to 200.93.xxx.xb:5060 > > Destroying call '[EMAIL PROTECTED]' > > asterisk*CLI> > > > > > > I dial *98 to get into the voice message system: > > > > asterisk*CLI> > > > > Sip read: > > ACK sip:[EMAIL PROTECTED] SIP/2.0 > > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-600583f3 > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:[EMAIL PROTECTED]>;tag=as65eec750 > > Call-ID: [EMAIL PROTECTED] > > CSeq: 101 ACK > > Max-Forwards: 70 > > Contact: Guillermo Salas M <sip:[EMAIL PROTECTED]> > > User-Agent: Sipura/SPA2000-2.0.2 > > Content-Length: 0 > > > > > > 10 headers, 0 lines > > asterisk*CLI> > > > > Sip read: > > INVITE sip:[EMAIL PROTECTED] SIP/2.0 > > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-ec22067b > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:[EMAIL PROTECTED]> > > Call-ID: [EMAIL PROTECTED] > > CSeq: 102 INVITE > > Max-Forwards: 70 > > Proxy-Authorization: Digest > > > username="105",realm="asterisk",nonce="47a68adb",uri="sip:[EMAIL PROTECTED] > > main.n et",algorithm=MD5,response="8e60f592df094f9b852a59544b9da384" > > Contact: Guillermo Salas M <sip:[EMAIL PROTECTED]> > > Expires: 240 > > User-Agent: Sipura/SPA2000-2.0.2 > > Content-Length: 422 > > Content-Type: application/sdp > > > > v=0 > > o=- 12384 12384 IN IP4 192.168.0.253 > > s=- > > c=IN IP4 192.168.0.253 > > t=0 0 > > m=audio 16468 RTP/AVP 4 0 2 8 18 96 97 98 100 101 > > a=rtpmap:4 G723/8000 > > a=rtpmap:0 PCMU/8000 > > a=rtpmap:2 G726-32/8000 > > a=rtpmap:8 PCMA/8000 > > a=rtpmap:18 G729a/8000 > > a=rtpmap:96 G726-40/8000 > > a=rtpmap:97 G726-24/8000 > > a=rtpmap:98 G726-16/8000 > > a=rtpmap:100 NSE/8000 > > a=rtpmap:101 telephone-event/8000 > > a=fmtp:101 0-15 > > a=ptime:30 > > a=sendrecv > > > > 13 headers, 19 lines > > Using latest request as basis request > > Sending to 192.168.0.253 : 5060 (NAT) > > Found user '105' > > Found RTP audio format 4 > > Found RTP audio format 0 > > Found RTP audio format 2 > > Found RTP audio format 8 > > Found RTP audio format 18 > > Found RTP audio format 96 > > Found RTP audio format 97 > > Found RTP audio format 98 > > Found RTP audio format 100 > > Found RTP audio format 101 > > Peer audio RTP is at port 192.168.0.253:16468 Found > description format > > G723 Found description format PCMU Found description format G726-32 > > Found description format PCMA Found description format G729a Found > > description format G726-40 Found description format G726-24 Found > > description format G726-16 Found description format NSE Found > > description format telephone-event > > Capabilities: us - 0xc011f (g723|gsm|ulaw|alaw|g726|g729|h261|h263), > > peer - audio=0x51d (g723|ulaw|alaw|g726|g729|ilbc)/video=0x0 > > (nothing), combined - 0x11d (g723|ulaw|alaw|g726|g729) Non-codec > > capabilities: us - 0x1 (g723), peer - 0x1 (g723), combined - > > 0x1 (g723) > > Looking for *98 in from-internal > > list_route: hop: <sip:[EMAIL PROTECTED]> Transmitting (NAT): > > SIP/2.0 100 Trying > > Via: SIP/2.0/UDP > > > 192.168.0.253;branch=z9hG4bK-ec22067b;received=200.93.xxx.xb;rport=506 > > 0 > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:[EMAIL PROTECTED]>;tag=as58095e00 > > Call-ID: [EMAIL PROTECTED] > > CSeq: 102 INVITE > > User-Agent: Asterisk PBX > > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER > > Contact: <sip:[EMAIL PROTECTED]> > > Content-Length: 0 > > > > > > to 200.93.xxx.xb:5060 > > -- Executing Answer("SIP/105-6408", "") in new stack We're at > > 200.93.xxx.xa port 12436 Video is at 200.93.xxx.xa port 16274 > > Answering with preferred capability 0x100 (g729) Answering with > > preferred capability 0x1 (g723) Answering with preferred capability > > 0x2 (gsm) Answering with preferred capability 0x10 (g726) Answering > > with preferred capability 0x4 (ulaw) Answering with preferred > > capability 0x8 (alaw) Answering with preferred capability 0x40000 > > (h261) Answering with preferred capability 0x80000 (h263) Answering > > with non-codec capability 0x1 (telephone-event) Reliably > Transmitting > > (NAT): > > SIP/2.0 200 OK > > Via: SIP/2.0/UDP > > > 192.168.0.253;branch=z9hG4bK-ec22067b;received=200.93.xxx.xb;rport=506 > > 0 > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:[EMAIL PROTECTED]>;tag=as58095e00 > > Call-ID: [EMAIL PROTECTED] > > CSeq: 102 INVITE > > User-Agent: Asterisk PBX > > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER > > Contact: <sip:[EMAIL PROTECTED]> > > Content-Type: application/sdp > > Content-Length: 340 > > > > v=0 > > =root 7393 7393 IN IP4 200.93.xxx.xa > > s=session > > c=IN IP4 200.93.xxx.xa > > t=0 0 > > m=audio 12436 RTP/AVP 18 4 3 2 0 8 101 > > a=rtpmap:18 G729/8000 > > a=rtpmap:4 G723/8000 > > a=rtpmap:3 GSM/8000 > > a=rtpmap:2 G726-32/8000 > > a=rtpmap:0 PCMU/8000 > > a=rtpmap:8 PCMA/8000 > > a=rtpmap:101 telephone-event/8000 > > a=fmtp:101 0-16 > > a=silenceSupp:off - - - - > > > > to 200.93.xxx.xb:5060 > > -- Executing Wait("SIP/105-6408", "1") in new stack > asterisk*CLI> > > > > Sip read: > > ACK sip:[EMAIL PROTECTED] SIP/2.0 > > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-ec22067b > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:[EMAIL PROTECTED]>;tag=as58095e00 > > Call-ID: [EMAIL PROTECTED] > > CSeq: 102 ACK > > Max-Forwards: 70 > > Proxy-Authorization: Digest > > > username="105",realm="asterisk",nonce="47a68adb",uri="sip:[EMAIL PROTECTED] > > main.n et",algorithm=MD5,response="74dd50faa2bb97fdb1a0fe6ce93489de" > > Contact: Guillermo Salas M <sip:[EMAIL PROTECTED]> > > User-Agent: Sipura/SPA2000-2.0.2 > > Content-Length: 0 > > > > > > 11 headers, 0 lines > > -- Executing VoiceMailMain("SIP/105-6408", "default") > in new stack > > -- Playing 'vm-login' (language 'es') asterisk*CLI> > > > > Sip read: > > NOTIFY sip:sip.mydomain.net SIP/2.0 > > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-8ecd1b3e > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:sip.mydomain.net> > > Call-ID: [EMAIL PROTECTED] > > CSeq: 9 NOTIFY > > Max-Forwards: 70 > > Event: keep-alive > > User-Agent: Sipura/SPA2000-2.0.2 > > Content-Length: 0 > > > > 10 headers, 0 lines > > Transmitting (no NAT): > > SIP/2.0 200 OK > > Via: SIP/2.0/UDP 192.168.0.253;branch=z9hG4bK-8ecd1b3e > > From: Guillermo Salas M > > <sip:[EMAIL PROTECTED]>;tag=4f2df183b116b70c > > To: <sip:sip.mydomain.net>;tag=as45caf3ff > > Call-ID: [EMAIL PROTECTED] > > CSeq: 9 NOTIFY > > User-Agent: Asterisk PBX > > Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER > > Contact: > > Content-Length: 0 > > > > > > to 200.93.xxx.xb:5060 > > Destroying call '[EMAIL PROTECTED]' > > -- No username but # key pressed. Using CID '105' > > -- Playing 'vm-password' (language 'es') > > -- Incorrect password '' for user '105' (context = <any>) > > -- Playing 'vm-incorrect-mailbox' (language 'es') asterisk*CLI> > > > > Any hint will be very appreciated, > > > > > > Regards, > > > > > > Guill3rm0 > > > > _______________________________________________ > > Asterisk-Users mailing list > > [email protected] > > http://lists.digium.com/mailman/listinfo/asterisk-users > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > _______________________________________________ > Asterisk-Users mailing list > [email protected] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
