LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPTable / Conntrack VoIP Issue (https://www.linuxquestions.org/questions/linux-networking-3/iptable-conntrack-voip-issue-4175435896/)

smartbyte 11-06-2012 07:59 AM
IPTable / Conntrack VoIP Issue
 
Hi guys,

I know this might have been discussed a thousand times, but actually, I think, not often enough.
First my situation:
I have a private network, iptables NATed of cause! then I have a Xen-VoIP-Server(Asterisk) and at last a VoIP provider.
What I like to do is initiate VoIP calls over my VoIP Server and send the data (RTP audio stream) directly to my provider. The would work pretty good if ther wasn't my iptables NAT.

What my NAT is doing or what it is not doing is pretty easy:
For some reason my phone (Android CSIPSimple) does a stun lookup on the same port (source port of the packet) it will later on use for the RTP VoIP stream. So the Linux conntrack "sees" this successful connection, and once my phone tries to use the same source port for the RTP connection to the VoIP server, the conntrack module does a port mapping ... Which is not needed as we are talking about the UDP protocol. It is O.K. to use one UDP port with many PC's.
Does anyone know how to change my setup to get this working, or is it simply impossible. Is conntrack that stupid and cannot handle these kind od connections (our CISCO router at work doesn't seem to have a problem with this setup...)

Here is my setup:
Linux NAT Box:
Code:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -s 192.168.0.0/16
(I tried it with SNAT as well, but that doesn't make a difference)

and this is my Conntrack -E log for this connection:
Code:
smartbyte:~ # conntrack -E
# Here is the STUN-Part
[NEW] udp      17 60 src=192.168.1.38 dst=216.93.246.14 sport=44608 dport=3478 [UNREPLIED] src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=44608
[NEW] udp      17 60 src=192.168.1.38 dst=216.93.246.14 sport=57890 dport=3478 [UNREPLIED] src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=57890
[UPDATE] udp      17 59 src=192.168.1.38 dst=216.93.246.14 sport=44608 dport=3478 src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=44608
[UPDATE] udp      17 59 src=192.168.1.38 dst=216.93.246.14 sport=57890 dport=3478 src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=57890
[UPDATE] udp      17 600 src=192.168.1.38 dst=216.93.246.14 sport=44608 dport=3478 src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=44608 [ASSURED]
[UPDATE] udp      17 600 src=192.168.1.38 dst=216.93.246.14 sport=57890 dport=3478 src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=57890 [ASSURED]
# STUN ended - Two connections assureds, ports: 44608 and 57890
# Now we try to connect to the VoIP Server source port 44608 and 57890
[NEW] udp      17 60 src=122.XX.115.203 dst=114.XX.234.123 sport=10020 dport=44608 [UNREPLIED] src=114.XX.234.123 dst=122.XX.115.203 sport=44608 dport=10020
[NEW] udp      17 60 src=192.168.1.38 dst=122.XX.115.203 sport=57890 dport=10021 [UNREPLIED] src=122.XX.115.203 dst=114.XX.234.123 sport=10021 dport=57890
[NEW] udp      17 60 src=192.168.1.38 dst=122.XX.115.203 sport=44608 dport=10020 [UNREPLIED] src=122.XX.115.203 dst=114.XX.234.123 sport=10020 dport=1030
# And from that point on it goes down the drain!
# Se the port mapping to port 1030!!!???!!!! Why?!
[UPDATE] udp      17 59 src=192.168.1.38 dst=122.XX.115.203 sport=44608 dport=10020 src=122.XX.115.203 dst=114.XX.234.123 sport=10020 dport=1030
[UPDATE] udp      17 600 src=192.168.1.38 dst=122.XX.115.203 sport=44608 dport=10020 src=122.XX.115.203 dst=114.XX.234.123 sport=10020 dport=1030 [ASSURED]
# The connection is assured, because Asterisk is basically listening to everything on that port and changes the port it send the data back
# But my VoIP Provider is not that intelligent. :-((( F!
[NEW] udp      17 60 src=192.168.1.38 dst=62.52.147.185 sport=44608 dport=35642 [UNREPLIED] src=62.52.147.185 dst=114.XX.234.123 sport=35642 dport=1030
[NEW] udp      17 60 src=62.52.147.185 dst=114.XX.234.123 sport=35642 dport=44608 [UNREPLIED] src=114.XX.234.123 dst=62.52.147.185 sport=44608 dport=35642
[NEW] udp      17 60 src=62.52.147.185 dst=114.XX.234.123 sport=35643 dport=44609 [UNREPLIED] src=114.XX.234.123 dst=62.52.147.185 sport=44609 dport=35643
[NEW] udp      17 60 src=192.168.1.38 dst=62.52.147.185 sport=57890 dport=35643 [UNREPLIED] src=62.52.147.185 dst=114.XX.234.123 sport=35643 dport=57890
Please can anyone tell me what I am doing wrong? Is ther a switch somewhere to disable port mapping for the UDP protocol? (And have a real symmetric NAT?)

Please I need that fixed! Any help appreciated, even if you can point me to the responsible person for the conntrack module.

Thanks for any answer, SB.

smartbyte 11-12-2012 08:37 PM
Please guys, I need some help with this!
 
Isn't there anyone who can help with this issue? I know it's pretty detailed, but doesn't anyone see the problem here?
If that is not fixed, you can forget VoIP,

then Linux NAT is the worst NAT you can get, which shouldn't be the case...


All times are GMT -5. The time now is 07:21 AM.