cannot get SIP Phone to work over iptables firewall
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
cannot get SIP Phone to work over iptables firewall
Hi there
I am using a iptables firewall based on Debian Etch and so far have been running against a wall getting my Gigaset C470 IP running.
I can make it ring on both sides, so it registers fine on port 5060 with the sip provider server, but then there is no audio going through, from neither side to the other.
I know that you need the module ip_conntrack_sip loaded on the iptables machine, but so far that has helped nothing. Finding out which ports SIP uses is a needle in the haystack. Using fwbuilder to configure iptables, I have opened SIP, RTP and RTCP ports, tried to forward them directly to the device (through the NAT tab in fwbuilder, which is how you should do it, right?)
I know that the NAT is to blame, since I have connected the phone directly on the public internet address and that worked like a charm.
Is there any way I can tackle this problem, get a point where I can start finding the problem step by step?
I have 2 pictures, showing the firewall config, policy and nat rules, but don't know how to attach them here.
Finding out which ports SIP uses is a needle in the haystack.
You should be able to identify the ports by using iptables/netfilter to log what is going on. You might already be logging the dropped packets (check /var/log/syslog). If not, or if that is not enough info,
Code:
iptables -A <INPUT | OUTPUT> <matching conditions> -j LOG
will log packets on the selected chain (INPUT or OUTPUT) that match the <matching conditions>. If no conditions are used, then all packets get logged.
Please note the following:
You must be root to run the iptables command
I showed the command with -A (append), but -I (insert) might be more appropriate or easier. (See iptable's man page)
The packet must still be traversing the given chain to get logged. If it has already been ACCEPTed or DROPped by a previous rule, it won't get logged.
This may be obvious, but just in case ... the log shows source port as SPT and destination port as DPT
Thanks for the tips. I have given it up and couldn't find a solution. There is not even a documentation for SIP-phones, which ports they are using and which protocols. Sadly, this is the reason why you find many people in the net saying that they switched to skype, "that just works". Skype might be a security hazard, but it surely does work.
That SIP was not designed to work over NAT is no help, 99% of all users use NAT and waiting for IPV6 will make us all get grew hair before it happens. I always smile at the ignorance when I hear a so called decision maker manager state that "Haven't heard anything about IPV6 much, therefore it can't be taking hold"
You cannot feed managers with facts, they only eat marketing.
And what you did not hear about from several sources obviously can't be worth any consideration. ;-)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.