Re: [sipx-users] sipXecs behind NAT

[Tony Graziano]

On Fri, Mar 19, 2010 at 7:09 AM, Tony Graziano <tgrazi...@myitdepartment.net
> wrote:

> And you need to ensure internet calling in sipx is disabled.
> ============================
> Tony Graziano, Manager
> Telephone: 434.984.8430
> Fax: 434.984.8431
>
> Email: tgrazi...@myitdepartment.net
>
> LAN/Telephony/Security and Control Systems Helpdesk:
> Telephone: 434.984.8426
> Fax: 434.984.8427
>
> Helpdesk Contract Customers:
> http://www.myitdepartment.net/gethelp/
>
> ----- Original Message -----
> From: sipx-users-boun...@list.sipfoundry.org
> <sipx-users-boun...@list.sipfoundry.org>
> To: Andriy Kucher <akuc...@yukon.cv.ua>; sipx-users@list.sipfoundry.org
> <sipx-users@list.sipfoundry.org>
> Sent: Fri Mar 19 06:51:03 2010
> Subject: Re: [sipx-users] sipXecs behind NAT
>
> You want no SIP helpers on either end.
>
> Also, your ports that need to be open and mapped back in to PBX are:
>
> 5060 udp and 5060 tcp
> 30000 - 31000 udp
>
> 5080 udp if you want to use trunking.
>
> Need to have static pot on NAT
>
> Mike
>
> -----Original Message-----
> From: sipx-users-boun...@list.sipfoundry.org
> [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Andriy
> Kucher
> Sent: Friday, March 19, 2010 6:41 AM
> To: sipx-users@list.sipfoundry.org
> Subject: Re: [sipx-users] sipXecs behind NAT
>
>
> Content-Type: text/plain;
>  charset="utf-8"
> Content-Transfer-Encoding: 8bit
> Organization: SipXecs Forum
> In-Reply-To:
> <d99f07871003190225x19b3ca41of9c673e5a13c9...@mail.gmail.com>
> X-FUDforum: 08063afcdd00a6e76393c5b9527381e8 <43555>
> Message-ID: <aa23.4ba35...@forum.sipfoundry.org>
>
>
>
> Thank you for reply.
> Quote:
> > >You need to indicate what kind of firewall/route is
> > doing your NAT. It
> > sounds like your NAT device is mangling the ports, which
> > won't work.
>
> I'm using simple iptables linux firewall. I think its
> everything ok with firewall, it doesn't change ports. I have
> used previously freeswitch and it has worked correctly.
>
> Quote:
> > > static IP address (82.207.124.XXX) and specified
> > > Start RTP
> > > port - End RTP port to 31112 - 31116. Public port
> > > remains
> > > default 5060.
> > >
> > >That's a very restrictive range. Why so low a range?
>
>
> Because of testing purposes. When it works properly I'll
> change this range to wider. Currently its quite some work to
> configure firewall to open this ports.
>
> Quote:
> > > Your firewall or router needs to ensure the ports
> > > (5060 and 31113-31116 are
> > > sent out and come back on the same port. At the same
> > > time your remote
> > > user(s) need to ensure their router/firewall has any
> > > ALG (application layer
> > > Gateway, or SPI stateful packet inspection, as well
> > > as any sip helpers or
> > > proxies like sipxproxd turned off).
>
>
> Well, at server side router makes correct redirections,
> ports 5060 and 31112-31116 are properly opened and sent out
> and come back.
> My remote user (its me at home) has hardware pppoe router
> (tp-link 642g) and actually I don't know if it has any sip
> helpers.
> Actually I'm wondering why I do need that sip
> helpers....freeswitch has worked perfectly at this scenario.
> I can grab at home with wireshark all sip packets and post
> here but I'm not sure if I'll be able to do this on linux
> server. Should I attach here this logs?
> _______________________________________________
> sipx-users mailing list sipx-users@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users
> Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
> sipXecs IP PBX -- http://www.sipfoundry.org/
> _______________________________________________
> sipx-users mailing list sipx-users@list.sipfoundry.org
> List Archive: http://list.sipfoundry.org/archive/sipx-users
> Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
> sipXecs IP PBX -- http://www.sipfoundry.org/
>

Here's a working iptables with sipxecs behind nat for trunking and remote
users.

disclaimer: I do not "prefer" or purport to be an iptables expert. I have
this in place somewhere and it does work.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport ssh -j ACCEPT
#-A INPUT -j LOG
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#
-A FORWARD -p tcp -m state --state NEW -m tcp -d 192.168.0.29 --dport ssh -j
ACCEPT
-A FORWARD -p tcp -m state --state NEW -m tcp -d 192.168.0.29 --dport 5060
-j ACCEPT
-A FORWARD -p tcp -m state --state NEW -m tcp -d 192.168.0.29 --dport 12000
-j ACCEPT
-A FORWARD -p tcp -m state --state NEW -m tcp -d 192.168.0.29 --dport 80 -j
ACCEPT
-A FORWARD -p tcp -m state --state NEW -m tcp -d 192.168.0.29 --dport 8443
-j ACCEPT
-A FORWARD -p tcp -m state --state NEW -m tcp -d 192.168.0.29 --dport 42003
-j ACCEPT
-A FORWARD -p udp -d 192.168.0.29 --dport 5060 -j ACCEPT
-A FORWARD -p udp -d 192.168.0.29 --dport 5080 -j ACCEPT
-A FORWARD -p udp -d 192.168.0.29 --dport 30000:31000 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -d 12.13.14.15 --dport 22 -j DNAT --to 192.168.0.29
-A PREROUTING -p tcp -d 12.13.14.15 --dport 5060 -j DNAT --to 192.168.0.29
-A PREROUTING -p tcp -d 12.13.14.15 --dport 12000 -j DNAT --to 192.168.0.29
-A PREROUTING -p tcp -d 12.13.14.15 --dport 80 -j DNAT --to 192.168.0.29
-A PREROUTING -p tcp -d 12.13.14.15 --dport 8443 -j DNAT --to 192.168.0.29
-A PREROUTING -p tcp -d 12.13.14.15 --dport 42003 -j DNAT --to 192.168.0.29
-A PREROUTING -p udp -d 12.13.14.15 --dport 5060 -j DNAT --to-destination
192.168.0.29:5060
-A PREROUTING -p udp -d 12.13.14.15 --dport 5080 -j DNAT --to-destination
192.168.0.29:5080
-A PREROUTING -p udp -d 12.13.14.15 --dport 30000:31000 -j DNAT
--to-destination 192.168.0.29
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

-- 
======================
Tony Graziano, Manager
Telephone: 434.984.8430
Fax: 434.984.8431

Email: tgrazi...@myitdepartment.net

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
Fax: 434.984.8427

Helpdesk Contract Customers:
http://www.myitdepartment.net/gethelp/

Why do mathematicians always confuse Halloween and Christmas?
Because 31 Oct = 25 Dec.

_______________________________________________
sipx-users mailing list sipx-users@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
sipXecs IP PBX -- http://www.sipfoundry.org/