-   Linux - Networking (
-   -   cannot get SIP Phone to work over iptables firewall (

browny_amiga 01-30-2008 05:36 AM

cannot get SIP Phone to work over iptables firewall
Hi there

I am using a iptables firewall based on Debian Etch and so far have been running against a wall getting my Gigaset C470 IP running.
I can make it ring on both sides, so it registers fine on port 5060 with the sip provider server, but then there is no audio going through, from neither side to the other.
I know that you need the module ip_conntrack_sip loaded on the iptables machine, but so far that has helped nothing. Finding out which ports SIP uses is a needle in the haystack. Using fwbuilder to configure iptables, I have opened SIP, RTP and RTCP ports, tried to forward them directly to the device (through the NAT tab in fwbuilder, which is how you should do it, right?)

I know that the NAT is to blame, since I have connected the phone directly on the public internet address and that worked like a charm.
Is there any way I can tackle this problem, get a point where I can start finding the problem step by step?

I have 2 pictures, showing the firewall config, policy and nat rules, but don't know how to attach them here.

thanks in advance for any pointers


blackhole54 01-31-2008 03:47 PM


Originally Posted by browny_amiga (Post 3039786)
Finding out which ports SIP uses is a needle in the haystack.

You should be able to identify the ports by using iptables/netfilter to log what is going on. You might already be logging the dropped packets (check /var/log/syslog). If not, or if that is not enough info,


iptables -A <INPUT | OUTPUT>  <matching conditions> -j LOG
will log packets on the selected chain (INPUT or OUTPUT) that match the <matching conditions>. If no conditions are used, then all packets get logged.

Please note the following:
  • You must be root to run the iptables command
  • I showed the command with -A (append), but -I (insert) might be more appropriate or easier. (See iptable's man page)
  • The packet must still be traversing the given chain to get logged. If it has already been ACCEPTed or DROPped by a previous rule, it won't get logged.
  • This may be obvious, but just in case ... the log shows source port as SPT and destination port as DPT
I hope this gets you started.

browny_amiga 02-11-2008 06:54 PM

Thanks for the tips. I have given it up and couldn't find a solution. There is not even a documentation for SIP-phones, which ports they are using and which protocols. Sadly, this is the reason why you find many people in the net saying that they switched to skype, "that just works". Skype might be a security hazard, but it surely does work.
That SIP was not designed to work over NAT is no help, 99% of all users use NAT and waiting for IPV6 will make us all get grew hair before it happens. I always smile at the ignorance when I hear a so called decision maker manager state that "Haven't heard anything about IPV6 much, therefore it can't be taking hold"
You cannot feed managers with facts, they only eat marketing.
And what you did not hear about from several sources obviously can't be worth any consideration. ;-)

All times are GMT -5. The time now is 01:37 AM.