Shane Hathaway wrote: > iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -d '!' 10.10.10.0/24 -j > MASQUERADE
I have configured the machine to use masquerading, since the comcast IP address is dynamic, and all of my internal machines can access the Internet, so I think I am good on this step. > Once you've done that, machines on your LAN should be able to contact > the Internet through your firewall. At the same time, assuming you have > no other rules, no Internet machine should have the ability to initiate > a connection with a machine in your LAN (unless someone at your ISP > spoofs a 10.10.10.x destination address). Check. > 2. If you can not reconfigure your SIP ATA, the ATA is probably > registering with your upstream provider using an internal IP address > rather than the external IP address. You need the conntrack_sip module > to make your router edit the SIP stream. lsmod shows a "conntrack_sip" loaded, so I assume it somehow magically detects SIP traffic, or is there something more I need for the configuration? > 3. You should only use DNAT rules if you want to run Internet servers. > If you have a web server at address 10.10.10.2, the DNAT rule might look > like: Check. > iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --destination-port 80 -j > DNAT --to-destination 10.10.10.2 > > DNAT is appropriate for running an Asterisk server, but is not normally > required for a SIP phone. > > Shane This is basically the thought process I have gone through trying to figure out why this setup is not working, which is why I am frustrated that it is not working, as everything appears to be configured as needed. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
