Kenneth Burgener wrote: > Shane Hathaway wrote: >> iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -d '!' 10.10.10.0/24 -j >> MASQUERADE > > > I have configured the machine to use masquerading, since the comcast IP > address is dynamic, and all of my internal machines can access the > Internet, so I think I am good on this step.
SNAT is still probably best for you. Comcast's IP addresses rarely change unless you reboot, so a simple script to set the SNAT line with your current IP address is going to work just fine. I have my firewall using SNAT on comcast and haven't had problems in years, other than Comcast deciding that I don't really need to go to Google. > > >> Once you've done that, machines on your LAN should be able to contact >> the Internet through your firewall. At the same time, assuming you have >> no other rules, no Internet machine should have the ability to initiate >> a connection with a machine in your LAN (unless someone at your ISP >> spoofs a 10.10.10.x destination address). > > Check. > > >> 2. If you can not reconfigure your SIP ATA, the ATA is probably >> registering with your upstream provider using an internal IP address >> rather than the external IP address. You need the conntrack_sip module >> to make your router edit the SIP stream. > > lsmod shows a "conntrack_sip" loaded, so I assume it somehow magically > detects SIP traffic, or is there something more I need for the > configuration? > > >> 3. You should only use DNAT rules if you want to run Internet servers. >> If you have a web server at address 10.10.10.2, the DNAT rule might look >> like: > > Check. > > >> iptables -t nat -A PREROUTING -p tcp -d x.x.x.x --destination-port 80 -j >> DNAT --to-destination 10.10.10.2 >> >> DNAT is appropriate for running an Asterisk server, but is not normally >> required for a SIP phone. >> >> Shane > > This is basically the thought process I have gone through trying to > figure out why this setup is not working, which is why I am frustrated > that it is not working, as everything appears to be configured as needed. > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > -- Michael Torrie Assistant CSR, System Administrator Chemistry and Biochemistry Department Brigham Young University Provo, UT 84602 +1.801.422.5771 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
