[CentOS] ASTERISK BOX behind a filewall

Ross S. W. Walker rwalker at medallion.com
Wed Sep 12 13:32:46 UTC 2007 

Feizhou wrote:
> 
> Indunil Jayasooriya wrote:
> > Hi All,
> > 
> > I want to put a ASTERISK BOX bend a Firewall. So I have 
> given below rules.
> > 
> 
> Sure. So long as it is NOT a natting firewall.
> 
> > 
> > iptables -A FORWARD -p udp -d 192.168.101.30 
> <http://192.168.101.30> -m 
> > multiport --dports 3478,4569,5060 -m state --state NEW -j ACCEPT
> > iptables -A FORWARD -p udp -d 192.168.101.30 
> <http://192.168.101.30> 
> > --dport 10000:20000 -m state --state NEW -j ACCEPT
> > 
> > iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 
> <http://1.2.3.4> 
> > -m multiport --dports 3478,4569,5060 -j DNAT --to-destination
> > 192.168.101.30 <http://192.168.101.30>
> > iptables -t nat -A PREROUTING -p udp -i eth0 -d 1.2.3.4 
> <http://1.2.3.4> 
> > --dport 10000:20000 -j DNAT --to-destination 192.168.101.30 
> > <http://192.168.101.30>
> > 
> > pls assume 1.2.3.4 <http://1.2.3.4> is the ip that connects to the 
> > internet.
> 
> Forget it. This will never work.
> 
> > 
> > 
> > I use Xlite sotphone to talk. I can register. it says user 
> ready. I can 
> > dial extentions as well. But , WHEN I talk , Both parties 
> can not hear 
> > anyrhing.
> > 
> > in rtp.conf file,  PORT 10000 to 20000 are also available.
> 
> asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
> 
> I have never managed to get this to work. Getting the below 
> was trouble 
> enough. Forget about trying to get an asterisk box behind a 
> nat to work 
> with clients outside.
> 
> asterisk <-> nat <-> sip client.

Yes, you will need a specific SIP iptables filter for this to
work from behind a firewall.

I know of an H.323 filter, but haven't explored SIP as we aren't
running any SIP application here yet.

Another possibility would be a SIP proxy installed on the
firewall, but it is not as secure as a filter.

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

More information about the CentOS mailing list