[CentOS] iptables on C5

Gordon Messmer gordon.messmer at gmail.com
Mon Oct 17 02:04:57 UTC 2016


On 10/16/2016 05:39 PM, Jerry Geis wrote:
> I am running asterisk (11.23.0) on a C5 machine. Working fine on port 5060
> udp. I have need to tcpenable=yes SIP and run that on port 5068.
> Since port 5060 is already running I was going to redirect 5068 to 5060.

Oh, yuck.  SIP includes information about an endpoint's address and port 
in the payload of its data.  The NAT helpers *should* rewrite that, but 
only if your payload isn't encrypted.  Asterisk can be configured with 
knowledge of its NATed address and port, but... Well, this all becomes 
kind of a mess.

It's best to avoid NAT where ever possible, in general, but more so with 
SIP than with some other common protocols.

> 192.168.10.201 is my machine, 192.168.1.3 is the other machine. 1.3 should
> connect to 10.201 on port 5068.
>
> so I did:
>
> iptables -t nat -A PREROUTING  -p tcp -d 192.168.10.201 --dport 5068 -j
> REDIRECT --to-port 5060
> iptables -t nat -A POSTROUTING         -p tcp -d 192.168.1.3    --dport
> 5060 -j REDIRECT --to-port 5068
>
> This did not seem to work. iptable -t nat -L -n -v shows packets going out
> to
> 1.3 but "0" on the input for 5068.

Is there a reason you can't configure asterisk to connect to 
192.168.1.3:5068, without using NAT?  And the reverse?  Can 192.168.1.3 
not connect to 5060?

And if you're not seeing packets hit that rule, are you really sure 
192.168.1.3 is sending packets to 192.168.10.201 port 5068?  Do you see 
them using a diagnostic tool like tcpdump?

> So then I added
>
> iptables -t nat -A OUTPUT -p tcp -d 192.168.10.201 --dport 5068 -j REDIRECT
> --to-port 5060
> iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1      --dport 5068 -j REDIRECT
> --to-port 5060

The output chain with a destination address of the local machine? I'm 
not really sure what you're trying to do here.




More information about the CentOS mailing list