[CentOS] ASTERISK BOX behind a filewall
Feizhou
feizhou at graffiti.net
Thu Sep 13 00:17:23 UTC 2007
Ross S. W. Walker wrote:
> Feizhou wrote:
>>>> asterisk <-> nat <-> nat <-> sip client = big pain in the neck.
>>>>
>>>> I have never managed to get this to work. Getting the below
>>>> was trouble
>>>> enough. Forget about trying to get an asterisk box behind a
>>>> nat to work
>>>> with clients outside.
>>>>
>>>> asterisk <-> nat <-> sip client.
>>> Yes, you will need a specific SIP iptables filter for this to
>>> work from behind a firewall.
>> Getting it to work with a firewall is not a problem...it is
>> getting the
>> thing to work with a natting firewall that is the problem. If
>> one end is
>> natted, you can still do some tricks to get it to work but if
>> both ends
>> are natted, forget it.
>
> Well that was the idea behind the ipfilter stuff. It will change
> the IPs in the protocol stream to compensate for the NAT.
It looks like there is a netfilter sip conntrack module.
>
> I face the same problem trying to do H.323 behind a NAT'd firewall.
Man, I stopped playing with netmeeting and gnomemeeting quite some time
ago while waiting for ekiga to be available to support my video...only
that you cannot compile the thing on Centos 4 without some major surgery.
>
>>> I know of an H.323 filter, but haven't explored SIP as we aren't
>>> running any SIP application here yet.
>>>
>>> Another possibility would be a SIP proxy installed on the
>>> firewall, but it is not as secure as a filter.
>> asterisk IS a sip proxy.
>
> Yes, well what I was hinting at was a dumbed-down install of
> asterisk installed ON the firewall that would be responsible
> for handing off calls coming in to and out of the network
> from/to another larger asterisk system.
You still have to setup the sip configuration to handle that. Not much
dumb downing on that aspect.
>
> That is the setup I had to do with GNU gatekeeper and H.323 since
> at the time I wasn't able to get the ipfilter h.323 filter to
> work properly with my Polycom system.
>
Ugh. Is that good luck with the sip conntrack module then?
More information about the CentOS
mailing list