subject:"Re\: \[asterisk\-users\] iptables for SIP talk to other port"

Re: [asterisk-users] iptables for SIP talk to other port

2016-10-16 Thread Pete Mundy


Jerry has already clarified in a previous reply that he is running SIP over 
TCP, not UDP.

But he hasn't clarified on which machine he is applying the iptables header 
rewrite rules (10.201, or 1.3?).

Either way though, it seems like a kludgy work-around. IMO, it'd be better to 
focus on creating the correct Asterisk peer configuration for the peer that is 
operating on the non-standard separate port, and don't use any packet-header 
mangling at all.

Jerry, can you post your configuration for the peer in Asterisk? (eg from 
sip.conf)

Pete


> On 17/10/2016, at 12:27 pm, Duncan  wrote:
> 
> 
> Don't you want udp rather than tcp?
> 
> Have a look at the iptables stats to see if any packets are hitting your 
> rule. 
> Also I think the source port from your host will be 5068 so your replies will 
> be to the right port but you can double check
> 
> tcpdump is also very useful here
> 
> sudo tcpdump -i eth0 -n udp and host 192.168.1.3 should show you packets 
> between your machine and your odd host
> Cheers Duncan
> 
> On 17/10/16 11:55, Mike wrote:
>> 
>> I'm by no means an iptables guru... 
>> 
>> Not sure if it's necessary to enable forwarding via: 
>> echo "1" > /proc/sys/net/ipv4/ip_forward 
>> 
>> Also have you tried without the "POSTROUTING" rule? 
>> 
>> I seem to recall that "iptables" is smart enough to correctly route packets 
>> back out without that rule. 
>> 
>> 
>> On Sat, 15 Oct 2016, Jerry Geis wrote: 
>> 
>>> I have a host 192.168.1.3 that wants to run SIP on 5068 (long story).My 
>>> host is 192.168.10.201. 
>>> My host needs to stay on 5060 because of all the other devices I have 
>>> connected. 
>>> 
>>> I tried putting port=5068 in my SIP extension definition but that did not 
>>> work. 
>>> 
>>> So I thought about using iptables to accomplish this: 
>>> 
>>> iptables -t nat -A PREROUTING  -p tcp --dport 5068-j 
>>> REDIRECT --to-port 5060 
>>> iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 192.168.1.3 -j 
>>> REDIRECT --to-port 5068 
>>> 
>>> 
>>> Do I not have the right format of the command? 
>>> Anything incoming destined for 5068 redirect to 5060... 
>>> Anything going out to 192.168.1.3 and port 5060 redirect to 5068. 
>>> 
>>> Seems like that should have worked? 
>>> 
>>> Thoughts?  sip show peers still says unreachable. 
>>> 
>>> Thanks, 
>>> 
>>> Jerry 


smime.p7s
Description: S/MIME cryptographic signature
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016
  http://www.asterisk.org/community/astricon-user-conference

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] iptables for SIP talk to other port

2016-10-16 Thread Duncan


Don't you want udp rather than tcp?

Have a look at the iptables stats to see if any packets are hitting your 
rule.
Also I think the source port from your host will be 5068 so your replies 
will be to the right port but you can double check


tcpdump is also very useful here

sudo tcpdump -i eth0 -n udp and host 192.168.1.3 should show you packets 
between your machine and your odd host


Cheers Duncan


On 17/10/16 11:55, Mike wrote:


I'm by no means an iptables guru...

Not sure if it's necessary to enable forwarding via:
echo "1" > /proc/sys/net/ipv4/ip_forward

Also have you tried without the "POSTROUTING" rule?

I seem to recall that "iptables" is smart enough to correctly route 
packets back out without that rule.



On Sat, 15 Oct 2016, Jerry Geis wrote:

I have a host 192.168.1.3 that wants to run SIP on 5068 (long 
story).My host is 192.168.10.201.
My host needs to stay on 5060 because of all the other devices I have 
connected.


I tried putting port=5068 in my SIP extension definition but that did 
not work.


So I thought about using iptables to accomplish this:

iptables -t nat -A PREROUTING  -p tcp --dport 5068  -j REDIRECT 
--to-port 5060
iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 192.168.1.3 -j 
REDIRECT --to-port 5068



Do I not have the right format of the command?
Anything incoming destined for 5068 redirect to 5060...
Anything going out to 192.168.1.3 and port 5060 redirect to 5068.

Seems like that should have worked?

Thoughts?  sip show peers still says unreachable.

Thanks,

Jerry







-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016
  http://www.asterisk.org/community/astricon-user-conference

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] iptables for SIP talk to other port

2016-10-16 Thread Mike



I'm by no means an iptables guru...

Not sure if it's necessary to enable forwarding via:
echo "1" > /proc/sys/net/ipv4/ip_forward

Also have you tried without the "POSTROUTING" rule?

I seem to recall that "iptables" is smart enough to correctly route 
packets back out without that rule.



On Sat, 15 Oct 2016, Jerry Geis wrote:


I have a host 192.168.1.3 that wants to run SIP on 5068 (long story).My host is 
192.168.10.201.
My host needs to stay on 5060 because of all the other devices I have connected.

I tried putting port=5068 in my SIP extension definition but that did not work.

So I thought about using iptables to accomplish this:

iptables -t nat -A PREROUTING  -p tcp --dport 5068                -j REDIRECT 
--to-port 5060
iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 192.168.1.3 -j REDIRECT 
--to-port 5068


Do I not have the right format of the command?
Anything incoming destined for 5068 redirect to 5060...
Anything going out to 192.168.1.3 and port 5060 redirect to 5068.

Seems like that should have worked?

Thoughts?  sip show peers still says unreachable.

Thanks,

Jerry

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016
  http://www.asterisk.org/community/astricon-user-conference

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] iptables for SIP talk to other port

2016-10-15 Thread Jerry Geis

>
> Your correct. I forgot to mention that the other end IS using tcp.

So I have in my SIP trunk.
transport=tcp

So correct my iptables line was specifying "-p tcp"

I also set tcpenable=yes in sip.conf

Thanks.

Jerry
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016
  http://www.asterisk.org/community/astricon-user-conference

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] iptables for SIP talk to other port

2016-10-15 Thread Adam

You're redirecting tcp, sip defaults to udp.
-- 
Sent from my cellphone.

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016
  http://www.asterisk.org/community/astricon-user-conference

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] iptables for SIP talk to other port

2016-10-15 Thread Administrator TOOTAI


Le 15/10/2016 à 18:17, Jerry Geis a écrit :

I have a host 192.168.1.3 that wants to run SIP on 5068 (long story).
My host is 192.168.10.201.
My host needs to stay on 5060 because of all the other devices I have
connected.

I tried putting port=5068 in my SIP extension definition but that did
not work.

So I thought about using iptables to accomplish this:

iptables -t nat -A PREROUTING  -p tcp --dport 5068-j
REDIRECT --to-port 5060
iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 192.168.1.3 -j
REDIRECT --to-port 5068


Do I not have the right format of the command?
Anything incoming destined for 5068 redirect to 5060...
Anything going out to 192.168.1.3 and port 5060 redirect to 5068.

Seems like that should have worked?

Thoughts?  sip show peers still says unreachable.


Generally SIP is UDP not TCP. Did you modify your asterisk.conf to TCP ?

--
Daniel

--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016
 http://www.asterisk.org/community/astricon-user-conference

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] iptables for SIP talk to other port

Re: [asterisk-users] iptables for SIP talk to other port

Re: [asterisk-users] iptables for SIP talk to other port

Re: [asterisk-users] iptables for SIP talk to other port

Re: [asterisk-users] iptables for SIP talk to other port

Re: [asterisk-users] iptables for SIP talk to other port

6 matches

Site Navigation

Mail list logo

Footer information