it doesnt interfere with remote users if the call is initiated from sipx to the itsp on port 5060.
On Fri, Aug 20, 2010 at 4:33 PM, Michael Scheidell < [email protected]> wrote: > when you did that, did you have any problems with outbound calls? outbound > calls would go to ITSP: 5060 on udp, and they would respond back. > > someone also mentioned that maybe setting this this way would have issues > with remote users. > > > > > On 8/20/10 9:51 AM, Krisztian Ganyai wrote: > > Hi, > > > > In the iptables status output you sent below, you have *TCP* as the > protocol. I think that should be *UDP*. Our iptables status’ output reads > like this: > > … > Table: nat > > Chain PREROUTING (policy ACCEPT) > > num target prot opt source destination > > 1 DNAT *udp* -- w.x.y.z 0.0.0.0/0 *udp*dpt:5060 > to:a.b.c.d:5080 > > … > > > > Can you please dblcheck if you have UDP in the /etc/sysconfig/iptables > file? > > BR, > > Chris > > > ------------------------------ > > *From:* Michael Scheidell > [mailto:[email protected]<[email protected]>] > > *Sent:* Friday, August 20, 2010 1:19 PM > *To:* Sven Evensen > *Cc:* [email protected] > *Subject:* Re: [sipx-users] iptables experts: port forwarding. > > > > noop, that didn't do it. > remember, this is behind a firewall already, iptables isn't doing natting. > > ran system-config-securitylevel-tui > enabled firewall. > > edited /etc/sysconfig/iptables to be what you had (ip's changed) > > restarted iptables: /etc/init.d/iptables restart > > /etc/init.d/iptables status shows: (i changed to tcp so I could test with > telnet) > > /etc/init.d/iptables status > Table: nat > Chain PREROUTING (policy ACCEPT) > num target prot opt source destination > 1 DNAT *tcp* -- xxx.xxx.xxx.36 0.0.0.0/0 > *tcp*dpt:5060 to: > 192.168.0.2:5080 > > Chain POSTROUTING (policy ACCEPT) > num target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > num target prot opt source destination > > > > on external host, did a telnet to public ip port 5060: > > /usr/sbin/tshark -tad -s1500 -n -p host xxx.xxx.xxx.36 > 2010-08-20 08:11:33.587745 xxx.xxx.xxx.36 -> 192.168.0.2 TCP 51532 > > 5060 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=1337361266 TSER=0 > 2010-08-20 08:11:33.587807 192.168.0.2 -> xxx.xxx.xxx.36 TCP 5060 > > 51532 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1084756872 > TSER=1337361266 WS=7 > 2010-08-20 08:11:33.624719 xxx.xxx.xxx.36 -> 192.168.0.2 TCP 51532 > > 5060 [ACK] Seq=1 Ack=1 Win=66608 Len=0 TSV=1337361298 TSER=1084756872 > > On 8/20/10 5:24 AM, Sven Evensen wrote: > > We use iptables on several of our machines to overcome the fact that ITSP > cannot send on 5060, > > works perfectly. Here is our setup: > > > > # Firewall configuration written by system-config-securitylevel > > # Manual customization of this file is not recommended. > > *nat > > :OUTPUT ACCEPT [0:0] > > :PREROUTING ACCEPT [0:0] > > :POSTROUTING ACCEPT [0:0] > > -A PREROUTING -p udp --dport 5060 -s 217.37.32.162 -i eth+ -j DNAT --to > 10.227.122.31:5080 > > COMMIT > > > ------------------------------ > > *From:* [email protected] [ > mailto:[email protected]<[email protected]>] > *On Behalf Of *Tony Graziano > *Sent:* 20 August 2010 08:18 > *To:* Michael Scheidell > *Cc:* [email protected] users > *Subject:* Re: [sipx-users] iptables experts: port forwarding. > > > > The startup scriptfor sipx checks to see if iptables is running, because it > is automatically "problematic" if it is... > > On Thu, Aug 19, 2010 at 11:14 PM, Michael Scheidell < > [email protected]> wrote: > > It just occurred to me that sipx on centos has iptables. maybe not active, > but its got it. > > can I use iptables, internally, without involving natting to do selective > port forwarding. > > example: > private ip address of 192.168.0.2 sipx.secnap.com. > public ip of ITSP: 4.2.2.2 > > I want to do something like this: > > if traffic comes in from source ip 4.2.2.2 to 192.168.0.2:5060 redirect > it to 192.168.0.2:5080 > (assuming that the original firewall did the natting. pretend here isn't > one) > > all other traffic to 192.168.0.2:5060 goes to 192.168.0.2:5080 > all traffic to 192.168.0.2:5080 goes to 192.168.0.2:5080. > > pretend I know lots about freebsd and ipfw and just tonight figures out how > to type 'iptables --list' > eg: tutor me. > I am thinking that if this can be done, it might make life easier for > people like me and mitchel who can't get the ITSP to send to port 5080. > > before I take m live phone system offline, look here, several paragraphs > down: > > <http://www.linuxquestions.org/questions/linux-networking-3/iptables-port-forwarding-599401/><http://www.linuxquestions.org/questions/linux-networking-3/iptables-port-forwarding-599401/> > > they do something like this: > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d > *router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port* > > iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT > --to-source *router_ip* > > > so, echo 1 > /proc/sys/net/ipv4/ip_forward (might not be needed) > but > iptables -t nat -A PREROUTING -p tcp -s 4.2.2.2 -d localhost --dport 5060 > -j DNAT to localhost:5080 > > -- > Michael Scheidell, CTO > o: 561-999-5000 > d: 561-948-2259 > ISN: 1259*1300 > > *| *SECNAP Network Security Corporation > > - Certified SNORT Integrator > - 2008-9 Hot Company Award Winner, World Executive Alliance > - Five-Star Partner Program 2009, VARBusiness > - Best in Email Security,2010: Network Products Guide > - King of Spam Filters, SC Magazine 2008 > > > ------------------------------ > > This email has been scanned and certified safe by SpammerTrap®. > For Information please see http://www.secnap.com/products/spammertrap/ > ------------------------------ > > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > -- > ====================== > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: [email protected] > Fax: 434.984.8431 > > Email: [email protected] > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: [email protected] > Fax: 434.984.8427 > > Helpdesk Contract Customers: > http://www.myitdepartment.net/gethelp/ > > Why do mathematicians always confuse Halloween and Christmas? > Because 31 Oct = 25 Dec. > > > > -- > Michael Scheidell, CTO > o: 561-999-5000 > d: 561-948-2259 > ISN: 1259*1300 > > *| *SECNAP Network Security Corporation > > · Certified SNORT Integrator > > · 2008-9 Hot Company Award Winner, World Executive > Alliance > > · Five-Star Partner Program 2009, VARBusiness > > · Best in Email Security,2010: Network Products > Guide > > · King of Spam Filters, SC Magazine 2008 > > > ------------------------------ > > This email has been scanned and certified safe by SpammerTrap®. > For Information please see http://www.secnap.com/products/spammertrap/ > ------------------------------ > > > > > -- > Michael Scheidell, CTO > o: 561-999-5000 > d: 561-948-2259 > ISN: 1259*1300 > > *| *SECNAP Network Security Corporation > > - Certified SNORT Integrator > - 2008-9 Hot Company Award Winner, World Executive Alliance > - Five-Star Partner Program 2009, VARBusiness > - Best in Email Security,2010: Network Products Guide > - King of Spam Filters, SC Magazine 2008 > > > ------------------------------ > > This email has been scanned and certified safe by SpammerTrap®. > For Information please see http://www.secnap.com/products/spammertrap/ > ------------------------------ > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.984.8431 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Fax: 434.984.8427 Helpdesk Contract Customers: http://www.myitdepartment.net/gethelp/ Why do mathematicians always confuse Halloween and Christmas? Because 31 Oct = 25 Dec.
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
