FWIW to turn off the sip rewriting code (if its loaded): rmmod nf_nat_sip rmmod nf_conntrack_sip
You can check if its loaded with 'lsmod | grep sip'. Depending on what platform you're on and what software is installed wrt the platform being a 'firewall' the instructions for disabling the SIP nat ALG permanently vary. I would assume that no firewall code is turned on by default in the stock 4.0.4 ISO install (I don't have one running to look right now), in any case you can tell if the modules are loaded with the 'lsmod' command. -Eric On Feb 2, 2010, at 11:48 PM, Josh Patten wrote: > Right, didn't think about using the ITSP address instead of the Cisco gateway > address. I guess I'm just used to working with PSTN gateways. Thanks for > catching that one. > > Also wasn't aware of conntrack. Shows how much I work with iptables. > > Try that same rule I posted earlier except use the address of your ITSP > instead of the cisco router. I've never tried to put a redirect in the INPUT > chain but I suppose it doesn't hurt to try it that way. You may also need to > do source port redirection as Mr. Varsanyi has indicated, if the ITSP is > expecting SIP traffic from port 5060. I'm sure their SIP server will let you > know if this is the case by either ignoring your SIP traffic or giving you > nasty errors. > > If you can't get the ITSP to divulge the IP address(es) of their servers then > I think your luck has run out. I agree that you should seize any opportunity > to find a new ITSP if ever possible, even if you manage to get this working. > > Eric Varsanyi wrote: >> >> FWIW using NAT rules in iptables is not exactly 'turning on the firewall', >> but you should be careful to unload the SIP NAT modules. >> >> The other problem is I'd think you'd want that example rule below to apply >> to the ip of your ITSP (the -s field) rather than your cisco, the source >> address of SIP traffic won't be from your local router. >> >> I'd also probably use the INPUT chain rather than the PREROUTING chain since >> this is ON the box, but they are both in the inbound path and you are not >> using this as a router so it really doesn't matter in this case. If the ITSP >> cares about your source address being 5060 you'll also need an SNAT rule as >> the first packet may be from you to them and thus there won't be a conntrack >> entry for the outbound traffic. >> >> I wouldn't recommend this as an 'easy' way to get this done, but if you read >> up on how iptables works, don't turn on the 'firewall' aspects (filtering), >> and be careful about the conntrack helper modules that are loaded (what >> folks here like to refer to as an ALG) you should be able to make it work. >> The mostly likely subtle failure to debug would be affecting traffic >> internal to the box (sipXecs likes to bind internal connections to the >> external IP addresses rather than use localhost). >> >> If you can't keep the nat rule from messing with internal traffic (or you >> can't know the source IP address the ITSP will use) you could also add a 2nd >> IP address alias to the interface and do the natting on that (changing the >> IP address as well, and this time in the prerouting table). SipXecs seems >> pretty oblivious to additional interfaces that are not called 'eth0' from my >> internal testing (eth0 is hardcoded in several places) so this might work >> for you. >> >> -Eric >> >> On Feb 2, 2010, at 9:30 PM, Hiral Patel wrote: >> >> >>> Hi tony, >>> >>> Why would you not recommend enabling a firewall on sipX, is this not >>> supported configuration by sipX? >>> >>> Regards, >>> >>> Hiral Patel, Operations Manager >>> >>> OnRelay >>> Elizabeth House | 39 York Road, London SE1 7NQ, UK | +44 (0) >>> 2079028138| [email protected] | www.onrelay.com | >>> >>> This electronic message transmission contains information from OnRelay, >>> Ltd., that may be confidential or privileged. The information is >>> intended solely for the recipient and use by any other party is not >>> authorised. If you are not the intended recipient, be aware that any >>> disclosure, copying, distribution or use of the contents of this >>> information or any attachment, is prohibited. If you have received this >>> electronic transmission in error, please notify us immediately by >>> electronic mail ([email protected]) and delete this message, along with >>> any attachments, from your computer. Registered in England No 04006093 | >>> Registered Office 1st Floor, 236 Gray's Inn Road, London WC1X 8HL >>> >>> >>> >>> >>> -----Original Message----- >>> From: Tony Graziano [mailto:[email protected]] >>> Sent: 03 February 2010 13:47 >>> To: [email protected] >>> Cc: Hiral Patel; [email protected] >>> Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? >>> >>> I would not turn a firewall on in sipx. >>> ============================ >>> Tony Graziano, Manager >>> Telephone: 434.984.8430 >>> Fax: 434.984.8431 >>> >>> Email: [email protected] >>> >>> LAN/Telephony/Security and Control Systems Helpdesk: >>> Telephone: 434.984.8426 >>> Fax: 434.984.8427 >>> >>> Helpdesk Contract Customers: >>> http://www.myitdepartment.net/gethelp/ >>> >>> ----- Original Message ----- >>> From: Josh Patten <[email protected]> >>> To: Tony Graziano <[email protected]> >>> Cc: [email protected] <[email protected]>; >>> [email protected] <[email protected]> >>> Sent: Tue Feb 02 21:44:29 2010 >>> Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx 5060 how? >>> >>> I don't know how well that iptables scenario will work with remote >>> workers. >>> Do your remote workers come in on the same Cisco router as your SIP >>> trunk(s)? >>> >>> Josh Patten wrote: >>> >>> You could probably use iptables (should already be installed on >>> your sipX >>> box) to accomplish this. Use webmin (http://www.webmin.com download and >>> install the RPM) to set up iptables (networking->linux firewall->allow >>> all >>> traffic) and then try adding/replacing the following lines to the top of >>> your /etc/sysconfig/iptables file: >>> >>> >>> ________________________________ >>> >>> *nat >>> :OUTPUT ACCEPT [0:0] >>> :PREROUTING ACCEPT [0:0] >>> :POSTROUTING ACCEPT [0:0] >>> -A PREROUTING -p udp -m udp -s ip.addr.of.cisco --dport 5060 -j >>> REDIRECT --to-ports 5080 >>> COMMIT >>> >>> ________________________________ >>> >>> where ip.addr.of.cisco is the IP address of your cisco device >>> >>> and restart iptables by running service iptables restart >>> to make sure this survives a restart, run chkconfig iptables on >>> >>> Tony Graziano wrote: >>> >>> Additionally the alg on the cisco might cause an issue. >>> Again, I don't >>> think >>> you can get there from here. >>> ============================ >>> Tony Graziano, Manager >>> Telephone: 434.984.8430 >>> Fax: 434.984.8431 >>> >>> Email: [email protected] >>> >>> LAN/Telephony/Security and Control Systems Helpdesk: >>> Telephone: 434.984.8426 >>> Fax: 434.984.8427 >>> >>> Helpdesk Contract Customers: >>> http://www.myitdepartment.net/gethelp/ >>> >>> ----- Original Message ----- >>> From: [email protected] >>> <[email protected]> >>> <mailto:[email protected]> >>> To: Hiral Patel <[email protected]> >>> <mailto:[email protected]> >>> ; >>> [email protected] >>> <[email protected]> >>> <mailto:[email protected]> ; Tony Graziano >>> <[email protected]> >>> <mailto:[email protected]> ; >>> [email protected] <[email protected]> <mailto:[email protected]> >>> Cc: Dwayne Kee <[email protected]> >>> <mailto:[email protected]> ; >>> Gabor Paller >>> <[email protected]> >>> <mailto:[email protected]> ; >>> [email protected] >>> <[email protected]> >>> <mailto:[email protected]> >>> Sent: Tue Feb 02 20:57:01 2010 >>> Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx >>> 5060 how? >>> >>> That is outside of my skill set, but I was advised >>> against attempting >>> something similar when I ran into the issue. We >>> translate 5060 to 5080 on >>> traffic from the Verizon SBC. That has worked fine for >>> us. They were not >>> able to alter the port for a particular customer either. >>> Sent via BlackBerry from T-Mobile >>> >>> -----Original Message----- >>> From: "Hiral Patel" <[email protected]> >>> <mailto:[email protected]> >>> Date: Wed, 3 Feb 2010 01:46:12 >>> To: <[email protected]> >>> <mailto:[email protected]> ; >>> <[email protected]> >>> <mailto:[email protected]> ; >>> Tony Graziano<[email protected]> >>> <mailto:[email protected]> ; <[email protected]> >>> <mailto:[email protected]> >>> Cc: Dwayne Kee<[email protected]> >>> <mailto:[email protected]> ; >>> Gabor >>> Paller<[email protected]> >>> <mailto:[email protected]> ; >>> <[email protected]> <mailto:[email protected]> >>> Subject: RE: [sipx-users] SipXbridge 5060 and sipXpbx >>> 5060 how? >>> >>> Thanks for your input, and that is my option two - the >>> Cisco router >>> which terminates the SIP trunk has feature called ALG >>> (application level >>> gateway) running to handle NAT from LAN to WAN. I don't >>> want to break >>> that, I may test this and see what happens. >>> >>> Do you know if my original suggestion will work? If not >>> why? >>> >>> Hiral Patel, Operations Manager >>> >>> OnRelay >>> Elizabeth House | 39 York Road, London SE1 7NQ, UK | >>> +44 (0) >>> 2079028138| [email protected] | www.onrelay.com | >>> >>> This electronic message transmission contains >>> information from OnRelay, >>> Ltd., that may be confidential or privileged. The >>> information is >>> intended solely for the recipient and use by any other >>> party is not >>> authorised. If you are not the intended recipient, be >>> aware that any >>> disclosure, copying, distribution or use of the contents >>> of this >>> information or any attachment, is prohibited. If you >>> have received this >>> electronic transmission in error, please notify us >>> immediately by >>> electronic mail ([email protected]) and delete this >>> message, along with >>> any attachments, from your computer. Registered in >>> England No 04006093 | >>> Registered Office 1st Floor, 236 Gray's Inn Road, London >>> WC1X 8HL >>> >>> >>> >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] >>> Sent: 03 February 2010 12:42 >>> To: Hiral Patel; [email protected]; >>> Tony Graziano; >>> [email protected] >>> Cc: Dwayne Kee; Gabor Paller; >>> [email protected] >>> Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx >>> 5060 how? >>> >>> If you have control of the LAN, ca you add a router that >>> can do a port >>> translation? I had a similar issue. >>> >>> Sent via BlackBerry from T-Mobile >>> >>> -----Original Message----- >>> From: "Hiral Patel" <[email protected]> >>> <mailto:[email protected]> >>> Date: Wed, 3 Feb 2010 01:37:16 >>> To: Tony Graziano<[email protected]> >>> <mailto:[email protected]> ; <[email protected]> >>> <mailto:[email protected]> >>> Cc: Dwayne Kee<[email protected]> >>> <mailto:[email protected]> ; >>> Gabor >>> Paller<[email protected]> >>> <mailto:[email protected]> ; >>> <[email protected]> <mailto:[email protected]> >>> Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx >>> 5060 how? >>> >>> Hey Tony, >>> >>> Thanks for replying so fast, I can not get a new ITSP >>> unfortunately so I >>> have to find a solution! >>> >>> I should have mentioned that the SIP trunk I have is a >>> dedicated WAN >>> link into the Tier 1 Operator network the network side >>> is connect to a >>> Acme Packet SBC (its like a standard product they have >>> so they are not >>> able to make an configure change without months of >>> planning and risk >>> analysis. And sending port is definitely a no no anyway! >>> >>> I have full control over the LAN but the problem is I >>> can not change the >>> incoming port from the trunk as mentioned, I would like >>> to understand >>> why my proposed solution will not work, can you please >>> help with that? >>> >>> On paper it seems very straight forward, so from your >>> input I will >>> adjust my design systematically until I come to the >>> perfect solution >>> which fits my requirements. >>> >>> Regards, >>> >>> Hiral Patel, Operations Manager >>> >>> OnRelay >>> Elizabeth House | 39 York Road, London SE1 7NQ, UK | >>> +44 (0) >>> 2079028138| [email protected] | www.onrelay.com | >>> >>> This electronic message transmission contains >>> information from OnRelay, >>> Ltd., that may be confidential or privileged. The >>> information is >>> intended solely for the recipient and use by any other >>> party is not >>> authorised. If you are not the intended recipient, be >>> aware that any >>> disclosure, copying, distribution or use of the contents >>> of this >>> information or any attachment, is prohibited. If you >>> have received this >>> electronic transmission in error, please notify us >>> immediately by >>> electronic mail ([email protected]) and delete this >>> message, along with >>> any attachments, from your computer. Registered in >>> England No 04006093 | >>> Registered Office 1st Floor, 236 Gray's Inn Road, London >>> WC1X 8HL >>> >>> >>> >>> >>> -----Original Message----- >>> From: Tony Graziano >>> [mailto:[email protected]] >>> Sent: 03 February 2010 12:22 >>> To: Hiral Patel; [email protected] >>> Cc: Dwayne Kee; Gabor Paller; >>> [email protected] >>> Subject: Re: [sipx-users] SipXbridge 5060 and sipXpbx >>> 5060 how? >>> >>> Your best option is to get a new itsp. Then use a real >>> firewall, your >>> hands >>> are REALLY tied. >>> >>> You would have to run 2 instances of sipxbridge with 2 >>> different public >>> ip >>> addresses (one for remote users, the other for >>> trunking). Since that >>> means >>> firewall changes you can't make, you are STUCK. >>> >>> Fire the ITSP, then the incapable firewall manager and >>> get REAL >>> replacements. >>> >>> Plainly said, you can't get there from here. Good luck. >>> ============================ >>> Tony Graziano, Manager >>> Telephone: 434.984.8430 >>> Fax: 434.984.8431 >>> >>> Email: [email protected] >>> >>> LAN/Telephony/Security and Control Systems Helpdesk: >>> Telephone: 434.984.8426 >>> Fax: 434.984.8427 >>> >>> Helpdesk Contract Customers: >>> http://www.myitdepartment.net/gethelp/ >>> >>> ----- Original Message ----- >>> From: [email protected] >>> <[email protected]> >>> <mailto:[email protected]> >>> To: M. Ranganathan <[email protected]> >>> <mailto:[email protected]> >>> Cc: Dwayne Kee <[email protected]> >>> <mailto:[email protected]> ; >>> Gabor Paller >>> <[email protected]> >>> <mailto:[email protected]> ; >>> [email protected] >>> <[email protected]> >>> <mailto:[email protected]> >>> Sent: Tue Feb 02 20:16:01 2010 >>> Subject: [sipx-users] SipXbridge 5060 and sipXpbx 5060 >>> how? >>> >>> Hello All, >>> >>> Purpose: >>> >>> Need to enable SipXecs bridge to solve lack of REFER >>> support on SIP >>> trunk. >>> >>> Problem: >>> >>> 1. SIP trunk provider has very strict rules about >>> changing any >>> configuration on any component that they manage. The SIP >>> trunk comes >>> with a Cisco 2801 router which is managed by the >>> Operator and the port >>> they signal on is 5060, this is a problem because all >>> requests from the >>> trunk are bypassing SipXecs bridge which listens on port >>> 5080 therefore >>> REFER can not be influenced. >>> >>> 2. SIP trunk Operator will not change port on trunk >>> 3. SIP trunk Operator will not change config on Router, >>> so I can not do >>> any NAT as recommended here: >>> >>> http://sipx-wiki.calivia.com/index.php/SIP_Trunking_with_sipXecs:_Overvi >>> ew_and_Configuration#2._Configure_SipXbridge >>> >>> 4. Do not want to change SipXecs internal port to some >>> else, sounds >>> dangerous and messy >>> 5. Do not want to try another sip trunk provider >>> >>> My solution to the problem: (please provide feedback and >>> answer my >>> question below) >>> >>> 1. Configure two physical sipX components >>> (a) sipXbridge(only) IP Add: 192.168.0.1 Port 5060 >>> (b) sipXpbx(proxy) IP add: 192.168.0.99 port 5060 >>> >>> 2. Configure (b) sipXpbx with provider gateway address >>> 123.123.123.234 >>> 3. Configure (b) sipXpbx with route under gateway config >>> to >>> SipXbridge(a)IP add: 192.168.0.1 >>> 4. Configure SipXbridge (a) to receive/send signalling >>> from provider >>> gateway and pass to/from (b) sipXpbx >>> >>> Questions: >>> >>> 1. Will this solve my problems? >>> 2. is my suggestion possible? >>> 3. if so, how do I configure sipXbridge? >>> 4. if so, are there any draw backs that you are aware of >>> by implementing >>> this design? >>> >>> Your help would be much appreciated. >>> >>> Regards >>> >>> Hiral Patel, Operations Manager >>> >>> OnRelay >>> Elizabeth House | 39 York Road, London SE1 7NQ, UK | >>> +44 (0) >>> 2079028138| [email protected] | www.onrelay.com | >>> >>> This electronic message transmission contains >>> information from OnRelay, >>> Ltd., that may be confidential or privileged. The >>> information is >>> intended solely for the recipient and use by any other >>> party is not >>> authorised. If you are not the intended recipient, be >>> aware that any >>> disclosure, copying, distribution or use of the contents >>> of this >>> information or any attachment, is prohibited. If you >>> have received this >>> electronic transmission in error, please notify us >>> immediately by >>> electronic mail ([email protected]) and delete this >>> message, along with >>> any attachments, from your computer. Registered in >>> England No 04006093 | >>> Registered Office 1st Floor, 236 Gray's Inn Road, London >>> WC1X 8HL >>> >>> >>> >>> -----Original Message----- >>> From: M. Ranganathan [mailto:[email protected]] >>> Sent: 27 January 2010 05:20 >>> To: Hiral Patel >>> Cc: [email protected] >>> Subject: Re: [sipx-users] How to map external 5060 to >>> internal 5080 >>> >>> On Tue, Jan 26, 2010 at 12:41 PM, Hiral Patel >>> <[email protected]> >>> <mailto:[email protected]> >>> wrote: >>> >>> >>> My SipXecs PBX is connected an unauthenticated >>> sip trunk for which I >>> >>> >>> need to >>> >>> >>> enable SipXecs bridge to be able to work around >>> the lack of REFER >>> >>> >>> support on >>> >>> >>> the sip trunk. >>> >>> >>> >>> The sip trunk sends to sipX on port 5060 >>> therefore any incoming >>> >>> >>> dialogue >>> >>> >>> bypasses sipXbridge and hence outgoing >>> signalling also are bypassing >>> sipXbridge for the same dialogue. >>> >>> >>> >>> What I would like to know is if it is possible >>> to re-configure sipX so >>> >>> >>> that >>> >>> >>> sipXbridge listens on 5060 and sipX listens on >>> 5080? >>> >>> >>> >>> >>> >>> No you should not configure it this way. You should >>> configure it as >>> follows: >>> >>> 1. Allow sipx proxy server to continue to listen on port >>> 5060. >>> 2. Allow sipxbridge to continue to listen on port 5080 ( >>> both of these >>> are defaults ). >>> >>> 3. Set the public port in the sipxbridge configuration >>> page to port >>> 5060. See >>> >>> http://sipx-wiki.calivia.com/index.php/SIP_Trunking_with_sipXecs:_Overvi >>> ew_and_Configuration#2._Configure_SipXbridge >>> >>> 4. Map your NAT to send WAN packets arriving at 5060 to >>> port 5080 on >>> the host where sipxbridge is configured and vice versa. >>> >>> >>> Ranga >>> >>> >>> >>> >>> >>> >>> I understand there is a way to map external 5060 >>> to internal 5080, but >>> >>> >>> I am >>> >>> >>> not sure how to do this, can anyone help? >>> >>> >>> >>> Also, if the above is possible does it have any >>> implications e.g. >>> >>> >>> Ranga >>> >>> >>> mentioned that remote worker maybe effected? >>> >>> >>> >>> Regards, >>> >>> >>> >>> Hiral Patel, >>> >>> OnRelay >>> >>> >>> >>> _______________________________________________ >>> sipx-users mailing list >>> [email protected] >>> List Archive: >>> http://list.sipfoundry.org/archive/sipx-users >>> Unsubscribe: >>> http://list.sipfoundry.org/mailman/listinfo/sipx-users >>> sipXecs IP PBX -- http://www.sipfoundry.org/ >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ________________________________ >>> >>> >>> _______________________________________________ >>> sipx-users mailing list [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users >>> Unsubscribe: >>> http://list.sipfoundry.org/mailman/listinfo/sipx-users >>> sipXecs IP PBX -- http://www.sipfoundry.org/ >>> _______________________________________________ >>> sipx-users mailing list [email protected] >>> List Archive: http://list.sipfoundry.org/archive/sipx-users >>> Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users >>> sipXecs IP PBX -- http://www.sipfoundry.org/ >>> >> >> _______________________________________________ >> sipx-users mailing list [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users >> Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users >> sipXecs IP PBX -- http://www.sipfoundry.org/ >> >
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
