On Sat, 27 Oct 2007 at 15:18 -0600, Kenneth Burgener wrote: > As I mentioned I am fronting iptables with shorewall (to make the > configuration easier).
There's your first mistake. I'm in the minority I think, but IMHO shorewall and friends are more trouble than they're worth. This problem serves as a case in point. I know iptables well enough to build a firewall from scratch, including NAT (at least I used to), but I could never figure out shorewall. The one thing I did figure out was that I was sure glad I had never used it before. > I know the first point that will be made is the cause of the problem is > the NAT. Well of course it is, but how come the NAT configuration with > the Linksys router worked, and the Linux firewall doesn't? That all depends on why it doesn't work with shorewall. I suspect the answer will be either because now you're blocking something that wasn't being blocked by the Linksys, or the new one doesn't have some enabling passthrough kind of feature that the old one did. > 2. If I dial out from my home phone to my cell phone I can hear audio > from my cell phone on the home phone speaker, but not the other way. Can you determine whether the session tears down properly when you hang up the cell phone? I'm not sure if there's a way to glean this information from the handset or the sipura, but if nothing else you could watch the packets with wireshark. If the teardown is working fine, then you have a clear pathway both ways for SIP, but RTP going out is being blocked. It's hard to tell for sure, it takes methodical and logical debugging and a knowledge of how SIP and RTP work. I encourage you to resist the urge to stab in the dark here! I've been there, I know. > I attempted to add the following rules to see if > that would improve the situation, as I saw this mentioned on some > article found by google: Do you know what these are doing? It's not obvious to me (one of the reasons I don't like shorewall), and I don't want to kill any brain cells trying to figure it out. Did the way things are NAT'ed change at all, at a high level? (Obviously they changed at the low level) Another thing to look at is the NAT settings on the Sipura. Is it using STUN? Is that what's breaking now? -- Hans Fugal ; http://hans.fugal.net There's nothing remarkable about it. All one has to do is hit the right keys at the right time and the instrument plays itself. -- Johann Sebastian Bach /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
