Hi all,
I am trying to get iptables to work for me... I am running asterisk (11.23.0) on a C5 machine. Working fine on port 5060 udp. I have need to tcpenable=yes SIP and run that on port 5068. Since port 5060 is already running I was going to redirect 5068 to 5060.
So I thought I could use iptables to do that - but does not seem to be working. 192.168.10.201 is my machine, 192.168.1.3 is the other machine. 1.3 should connect to 10.201 on port 5068.
so I did:
iptables -t nat -A PREROUTING -p tcp -d 192.168.10.201 --dport 5068 -j REDIRECT --to-port 5060 iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.3 --dport 5060 -j REDIRECT --to-port 5068
This did not seem to work. iptable -t nat -L -n -v shows packets going out to 1.3 but "0" on the input for 5068.
So then I added
iptables -t nat -A OUTPUT -p tcp -d 192.168.10.201 --dport 5068 -j REDIRECT --to-port 5060 iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 5068 -j REDIRECT --to-port 5060
And still nothing on the input.
What have I missed ?
Thanks,
Jerry
On 10/16/2016 05:39 PM, Jerry Geis wrote:
I am running asterisk (11.23.0) on a C5 machine. Working fine on port 5060 udp. I have need to tcpenable=yes SIP and run that on port 5068. Since port 5060 is already running I was going to redirect 5068 to 5060.
Oh, yuck. SIP includes information about an endpoint's address and port in the payload of its data. The NAT helpers *should* rewrite that, but only if your payload isn't encrypted. Asterisk can be configured with knowledge of its NATed address and port, but... Well, this all becomes kind of a mess.
It's best to avoid NAT where ever possible, in general, but more so with SIP than with some other common protocols.
192.168.10.201 is my machine, 192.168.1.3 is the other machine. 1.3 should connect to 10.201 on port 5068.
so I did:
iptables -t nat -A PREROUTING -p tcp -d 192.168.10.201 --dport 5068 -j REDIRECT --to-port 5060 iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.3 --dport 5060 -j REDIRECT --to-port 5068
This did not seem to work. iptable -t nat -L -n -v shows packets going out to 1.3 but "0" on the input for 5068.
Is there a reason you can't configure asterisk to connect to 192.168.1.3:5068, without using NAT? And the reverse? Can 192.168.1.3 not connect to 5060?
And if you're not seeing packets hit that rule, are you really sure 192.168.1.3 is sending packets to 192.168.10.201 port 5068? Do you see them using a diagnostic tool like tcpdump?
So then I added
iptables -t nat -A OUTPUT -p tcp -d 192.168.10.201 --dport 5068 -j REDIRECT --to-port 5060 iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 5068 -j REDIRECT --to-port 5060
The output chain with a destination address of the local machine? I'm not really sure what you're trying to do here.