when you did that, did you have any problems with outbound calls?
outbound calls would go to ITSP: 5060 on udp, and they would respond back.
someone also mentioned that maybe setting this this way would have
issues with remote users.
On 8/20/10 9:51 AM, Krisztian Ganyai wrote:
Hi,
In the iptables status output you sent below, you have *TCP* as the
protocol. I think that should be *UDP*. Our iptables status' output
reads like this:
...
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT *udp* -- w.x.y.z 0.0.0.0/0 *udp* dpt:5060
to:a.b.c.d:5080
...
Can you please dblcheck if you have UDP in the /etc/sysconfig/iptables
file?
BR,
Chris
------------------------------------------------------------------------
*From:* Michael Scheidell [mailto:[email protected]]
*Sent:* Friday, August 20, 2010 1:19 PM
*To:* Sven Evensen
*Cc:* [email protected]
*Subject:* Re: [sipx-users] iptables experts: port forwarding.
noop, that didn't do it.
remember, this is behind a firewall already, iptables isn't doing natting.
ran system-config-securitylevel-tui
enabled firewall.
edited /etc/sysconfig/iptables to be what you had (ip's changed)
restarted iptables: /etc/init.d/iptables restart
/etc/init.d/iptables status shows: (i changed to tcp so I could test
with telnet)
/etc/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT *tcp* -- xxx.xxx.xxx.36 0.0.0.0/0 *tcp* dpt:5060
to:192.168.0.2:5080
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
on external host, did a telnet to public ip port 5060:
/usr/sbin/tshark -tad -s1500 -n -p host xxx.xxx.xxx.36
2010-08-20 08:11:33.587745 xxx.xxx.xxx.36 -> 192.168.0.2 TCP 51532
> 5060 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=1337361266 TSER=0
2010-08-20 08:11:33.587807 192.168.0.2 -> xxx.xxx.xxx.36 TCP 5060 >
51532 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1084756872
TSER=1337361266 WS=7
2010-08-20 08:11:33.624719 xxx.xxx.xxx.36 -> 192.168.0.2 TCP 51532
> 5060 [ACK] Seq=1 Ack=1 Win=66608 Len=0 TSV=1337361298 TSER=1084756872
On 8/20/10 5:24 AM, Sven Evensen wrote:
We use iptables on several of our machines to overcome the fact that
ITSP cannot send on 5060,
works perfectly. Here is our setup:
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p udp --dport 5060 -s 217.37.32.162 -i eth+ -j DNAT
--to 10.227.122.31:5080
COMMIT
------------------------------------------------------------------------
*From:* [email protected]
<mailto:[email protected]>
[mailto:[email protected]] *On Behalf Of *Tony
Graziano
*Sent:* 20 August 2010 08:18
*To:* Michael Scheidell
*Cc:* [email protected]
<mailto:[email protected]> users
*Subject:* Re: [sipx-users] iptables experts: port forwarding.
The startup scriptfor sipx checks to see if iptables is running,
because it is automatically "problematic" if it is...
On Thu, Aug 19, 2010 at 11:14 PM, Michael Scheidell
<[email protected] <mailto:[email protected]>>
wrote:
It just occurred to me that sipx on centos has iptables. maybe not
active, but its got it.
can I use iptables, internally, without involving natting to do
selective port forwarding.
example:
private ip address of 192.168.0.2 sipx.secnap.com
<http://sipx.secnap.com>.
public ip of ITSP: 4.2.2.2
I want to do something like this:
if traffic comes in from source ip 4.2.2.2 to 192.168.0.2:5060
<http://192.168.0.2:5060> redirect it to 192.168.0.2:5080
<http://192.168.0.2:5080>
(assuming that the original firewall did the natting. pretend here
isn't one)
all other traffic to 192.168.0.2:5060 <http://192.168.0.2:5060> goes
to 192.168.0.2:5080 <http://192.168.0.2:5080>
all traffic to 192.168.0.2:5080 <http://192.168.0.2:5080> goes to
192.168.0.2:5080 <http://192.168.0.2:5080>.
pretend I know lots about freebsd and ipfw and just tonight figures
out how to type 'iptables --list'
eg: tutor me.
I am thinking that if this can be done, it might make life easier for
people like me and mitchel who can't get the ITSP to send to port 5080.
before I take m live phone system offline, look here, several
paragraphs down:
<http://www.linuxquestions.org/questions/linux-networking-3/iptables-port-forwarding-599401/>
they do something like this:
echo 1> /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d *router_ip*
--dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT --to-source
*router_ip*
so, echo 1 > /proc/sys/net/ipv4/ip_forward (might not be needed)
but
iptables -t nat -A PREROUTING -p tcp -s 4.2.2.2 -d localhost --dport
5060 -j DNAT to localhost:5080
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
------------------------------------------------------------------------
This email has been scanned and certified safe by SpammerTrap®.
For Information please see http://www.secnap.com/products/spammertrap/
------------------------------------------------------------------------
_______________________________________________
sipx-users mailing list
[email protected] <mailto:[email protected]>
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
======================
Tony Graziano, Manager
Telephone: 434.984.8430
sip: [email protected]
<mailto:[email protected]>
Fax: 434.984.8431
Email: [email protected] <mailto:[email protected]>
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: [email protected]
<mailto:[email protected]>
Fax: 434.984.8427
Helpdesk Contract Customers:
http://www.myitdepartment.net/gethelp/
Why do mathematicians always confuse Halloween and Christmas?
Because 31 Oct = 25 Dec.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
> *| *SECNAP Network Security Corporation
· Certified SNORT Integrator
· 2008-9 Hot Company Award Winner, World Executive Alliance
· Five-Star Partner Program 2009, VARBusiness
· Best in Email Security,2010: Network Products Guide
· King of Spam Filters, SC Magazine 2008
------------------------------------------------------------------------
This email has been scanned and certified safe by SpammerTrap®.
For Information please see http://www.secnap.com/products/spammertrap/
------------------------------------------------------------------------
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users/
