I don't see the attached trace. Your iptables looks woefully incomplete (it does not address your media ports range).
I am not an iptables expert, I find it has a horrible interface from an organizational standpoint. Here is one that was working that i had access to. You might extract what might be missing that you need. [r...@core1 ~]# cat /etc/sysconfig/iptables # *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport ssh -j ACCEPT #-A INPUT -j LOG -A INPUT -j REJECT --reject-with icmp-host-prohibited # -A FORWARD -p tcp -m state --state NEW -m tcp -d 172.16.248.10 --dport ssh -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp -d 172.16.248.10 --dport 5060 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp -d 172.16.248.10 --dport 12000 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp -d 172.16.248.10 --dport 80 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp -d 172.16.248.10 --dport 8443 -j ACCEPT -A FORWARD -p tcp -m state --state NEW -m tcp -d 172.16.248.10 --dport 42003 -j ACCEPT -A FORWARD -p udp -d 172.16.248.10 --dport 5060 -j ACCEPT -A FORWARD -p udp -d 172.16.248.10 --dport 5080 -j ACCEPT -A FORWARD -p udp -d 172.16.248.10 --dport 30000:31000 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -p tcp -d 1.2.3.4 --dport 22 -j DNAT --to 172.16.248.10 -A PREROUTING -p tcp -d 1.2.3.4 --dport 5060 -j DNAT --to 172.16.248.10 -A PREROUTING -p tcp -d 1.2.3.4 --dport 12000 -j DNAT --to 172.16.248.10 -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 172.16.248.10 -A PREROUTING -p tcp -d 1.2.3.4 --dport 8443 -j DNAT --to 172.16.248.10 -A PREROUTING -p tcp -d 1.2.3.4 --dport 42003 -j DNAT --to 172.16.248.10 -A PREROUTING -p udp -d 1.2.3.4 --dport 5060 -j DNAT --to-destination 172.16.248.10:5060 -A PREROUTING -p udp -d 1.2.3.4 --dport 5080 -j DNAT --to-destination 172.16.248.10:5080 -A PREROUTING -p udp -d 1.2.3.4 --dport 30000:31000 -j DNAT --to-destination 172.16.248.10 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT [r...@core1 ~]# And here is what a iptables status looks like: [r...@core1 ~]# service iptables status Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp -- 0.0.0.0/0 1.2.3.4 tcp dpt:22 to:172.16.248.10 2 DNAT tcp -- 0.0.0.0/0 1.2.3.4 tcp dpt:5060 to:172.16.248.10 3 DNAT tcp -- 0.0.0.0/0 1.2.3.4 tcp dpt:12000 to:172.16.248.10 4 DNAT tcp -- 0.0.0.0/0 1.2.3.4 tcp dpt:80 to:172.16.248.10 5 DNAT tcp -- 0.0.0.0/0 1.2.3.4 tcp dpt:8443 to:172.16.248.10 6 DNAT tcp -- 0.0.0.0/0 1.2.3.4 tcp dpt:42003 to:172.16.248.10 7 DNAT udp -- 0.0.0.0/0 1.2.3.4 udp dpt:5060 to: 172.16.248.10:5060 8 DNAT udp -- 0.0.0.0/0 1.2.3.4 udp dpt:5080 to: 172.16.248.10:5080 9 DNAT udp -- 0.0.0.0/0 1.2.3.4 udp dpts:30000:31000 to:172.16.248.10 Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 172.16.248.10 state NEW tcp dpt:22 2 ACCEPT tcp -- 0.0.0.0/0 172.16.248.10 state NEW tcp dpt:5060 3 ACCEPT tcp -- 0.0.0.0/0 172.16.248.10 state NEW tcp dpt:12000 4 ACCEPT tcp -- 0.0.0.0/0 172.16.248.10 state NEW tcp dpt:80 5 ACCEPT tcp -- 0.0.0.0/0 172.16.248.10 state NEW tcp dpt:8443 6 ACCEPT tcp -- 0.0.0.0/0 172.16.248.10 state NEW tcp dpt:42003 7 ACCEPT udp -- 0.0.0.0/0 172.16.248.10 udp dpt:5060 8 ACCEPT udp -- 0.0.0.0/0 172.16.248.10 udp dpt:5080 9 ACCEPT udp -- 0.0.0.0/0 172.16.248.10 udp dpts:30000:31000 10 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 11 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 12 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) num target prot opt source destination On Mon, Jul 5, 2010 at 9:17 AM, [email protected] <[email protected]>wrote: > Hi, > > before asking my questions i would like to explain our installation and > network, so you can have a better idea what we have done and we are > trying to do. > > We have one machine with 1 public ip address. We have installed on this > machine openvpn server and also virtualbox. > > We created one virtual machine on vbox that have centos 5.5 installed > and on it sipxecs. > > On host machine we create a tap0 interface and then we add tap0 to a > bridge interface with ip 10.1.1.1. We create this bridge interface in > order to give internet access to guest machine and to make visible guest > from host machine. On guest machine we use one interface with ip > 10.1.1.2. In order to give internet access to guest machine, we create > nat on host machine. > > We follow this article for vbox networking: > http://www.virtualbox.org/wiki/Advanced_Networking_Linux > > As you already know on host machine we have installed openvpn and it > acts as vpn server. We have set openvpn to use tap device and to act as > a bridge and openvpn has this configuration: > > port 1194 > proto udp > dev tap0 > > ca ca.crt > cert server.crt > key server.key > dh dh1024.pem > > server-bridge 10.1.1.1 255.255.0.0 10.1.1.3 10.1.1.254 > ifconfig-pool-persist ipp.txt > client-to-client > client-config-dir ccd > > keepalive 10 60 > comp-lzo > user nobody > group nobody > persist-key > persist-tun > status openvpn-status.log > verb 3 > > When we try to register over vpn all is ok and our registratin urls > looks this way: > > <sip:[email protected]:40200;x-sipX-nonat> > > Outgoing and incomming calls between sipx users is ok and internal > communication is ok. At least it looks ok from our tests. > > Now we are trying to make sipxecs to be accessible also from non vpn > users (remote users) and to be able to call via ITSP and to receive > calls from ITSP. > > Registration from remote users also look ok. We are able to register and > the url looks ok. > > Until this moment all is ok. The problem comes when we try to call out > via ITSP. > > In logs i see that we register to ITSP without any problems, in sipx web > interface also shows AUHTENTICATED. > > The problem appear when i try to make outgoing call via ITSP. Then on > the phone i get "408 ITSP Time out". I checked the traces, but cannot > figure out what the problem is. > > I was thinking that the problem maybe the rules that i use for > forwarding the ports to sipx from public interface on host machine. But > i'm not sure if this is the problem. > > I use these rules: > > IPTABLES=/sbin/iptables > export EXTIF=eth0 > export BRIF=br0 > > # my sipXecs proxy server and sipxbridge run here. > export SIPXADDR=10.1.1.2 > export PORTRANGE=30000:31000 > > > #set a default policy > /sbin/iptables -P INPUT ACCEPT > /sbin/iptables -F INPUT > /sbin/iptables -P OUTPUT ACCEPT > /sbin/iptables -F OUTPUT > /sbin/iptables -P FORWARD DROP > /sbin/iptables -F FORWARD > /sbin/iptables -t nat -F > > # set forwarding and nat rules > /sbin/iptables -A FORWARD -i $EXTIF -o $BRIF -j ACCEPT > /sbin/iptables -A FORWARD -i $BRIF -o $EXTIF -j ACCEPT > > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 5060 -j > DNAT --to-destination $SIPXADDR:5060 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p udp --dport 5060 -j > ACCEPT > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5060 -j > DNAT --to-destination $SIPXADDR:5060 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p tcp --dport 5060 -j > ACCEPT > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 5070 -j > DNAT --to-destination $SIPXADDR:5070 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p udp --dport 5070 -j > ACCEPT > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5070 -j > DNAT --to-destination $SIPXADDR:5070 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p tcp --dport 5070 -j > ACCEPT > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 5080 -j > DNAT --to-destination $SIPXADDR:5080 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p udp --dport 5080 -j > ACCEPT > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5080 -j > DNAT --to-destination $SIPXADDR:5080 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p tcp --dport 5080 -j > ACCEPT > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p udp --dport 5090 -j > DNAT --to-destination $SIPXADDR:5090 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p udp --dport 5090 -j > ACCEPT > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5090 -j > DNAT --to-destination $SIPXADDR:5090 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p tcp --dport 5090 -j > ACCEPT > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 9090 -j > DNAT --to-destination $SIPXADDR:9090 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p tcp --dport 9090 -j > ACCEPT > > /sbin/iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 81 -j DNAT > --to-destination $SIPXADDR:8443 > /sbin/iptables -A FORWARD -i $EXTIF -d $SIPXADDR -p tcp --dport 8443 -j > ACCEPT > > /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > > Are these rules above wrong? If yes, then what are the right rules that > i need to use when sipxecs is located in private network behind NAT? > > I suppose there are a lot of people that have such/similar installations > and i will be very happy if you share your experience in such > installations. > > Is it possible something to be wrong in headers and this way ITSP does > not know where to send packages? > > I attach one of the traces for failed outgoing call where i get ITSP > Timeout error. > > Let me know if you need snapshot of sipx installation and i will send it > too. > > What we need know is to get working outgoing and incoming calls via > ITSP. > > P.S. we have installed sipxecs 4.2.0-018575. > > Thanks in advanced! > > > _______________________________________________ > sipx-users mailing list [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users > sipXecs IP PBX -- http://www.sipfoundry.org/ > (It would be much easier if you ran something a little more generic. Like running a linux box with vmware server and running sipxecs as a private guest and pfsense as a guest and also acting as your firewall and openvpn server...) -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ Why do mathematicians always confuse Halloween and Christmas? Because 31 Oct = 25 Dec.
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
