LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 11-06-2012, 07:59 AM   #1
smartbyte
LQ Newbie
 
Registered: Nov 2012
Posts: 2

Rep: Reputation: Disabled
Question IPTable / Conntrack VoIP Issue


Hi guys,

I know this might have been discussed a thousand times, but actually, I think, not often enough.
First my situation:
I have a private network, iptables NATed of cause! then I have a Xen-VoIP-Server(Asterisk) and at last a VoIP provider.
What I like to do is initiate VoIP calls over my VoIP Server and send the data (RTP audio stream) directly to my provider. The would work pretty good if ther wasn't my iptables NAT.

What my NAT is doing or what it is not doing is pretty easy:
For some reason my phone (Android CSIPSimple) does a stun lookup on the same port (source port of the packet) it will later on use for the RTP VoIP stream. So the Linux conntrack "sees" this successful connection, and once my phone tries to use the same source port for the RTP connection to the VoIP server, the conntrack module does a port mapping ... Which is not needed as we are talking about the UDP protocol. It is O.K. to use one UDP port with many PC's.
Does anyone know how to change my setup to get this working, or is it simply impossible. Is conntrack that stupid and cannot handle these kind od connections (our CISCO router at work doesn't seem to have a problem with this setup...)

Here is my setup:
Linux NAT Box:
Code:
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -s 192.168.0.0/16
(I tried it with SNAT as well, but that doesn't make a difference)

and this is my Conntrack -E log for this connection:
Code:
smartbyte:~ # conntrack -E
# Here is the STUN-Part
[NEW] udp      17 60 src=192.168.1.38 dst=216.93.246.14 sport=44608 dport=3478 [UNREPLIED] src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=44608
[NEW] udp      17 60 src=192.168.1.38 dst=216.93.246.14 sport=57890 dport=3478 [UNREPLIED] src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=57890
[UPDATE] udp      17 59 src=192.168.1.38 dst=216.93.246.14 sport=44608 dport=3478 src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=44608
[UPDATE] udp      17 59 src=192.168.1.38 dst=216.93.246.14 sport=57890 dport=3478 src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=57890
[UPDATE] udp      17 600 src=192.168.1.38 dst=216.93.246.14 sport=44608 dport=3478 src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=44608 [ASSURED]
[UPDATE] udp      17 600 src=192.168.1.38 dst=216.93.246.14 sport=57890 dport=3478 src=216.93.246.14 dst=114.XX.234.123 sport=3478 dport=57890 [ASSURED]
# STUN ended - Two connections assureds, ports: 44608 and 57890
# Now we try to connect to the VoIP Server source port 44608 and 57890
[NEW] udp      17 60 src=122.XX.115.203 dst=114.XX.234.123 sport=10020 dport=44608 [UNREPLIED] src=114.XX.234.123 dst=122.XX.115.203 sport=44608 dport=10020
[NEW] udp      17 60 src=192.168.1.38 dst=122.XX.115.203 sport=57890 dport=10021 [UNREPLIED] src=122.XX.115.203 dst=114.XX.234.123 sport=10021 dport=57890
[NEW] udp      17 60 src=192.168.1.38 dst=122.XX.115.203 sport=44608 dport=10020 [UNREPLIED] src=122.XX.115.203 dst=114.XX.234.123 sport=10020 dport=1030
# And from that point on it goes down the drain!
# Se the port mapping to port 1030!!!???!!!! Why?!
[UPDATE] udp      17 59 src=192.168.1.38 dst=122.XX.115.203 sport=44608 dport=10020 src=122.XX.115.203 dst=114.XX.234.123 sport=10020 dport=1030
[UPDATE] udp      17 600 src=192.168.1.38 dst=122.XX.115.203 sport=44608 dport=10020 src=122.XX.115.203 dst=114.XX.234.123 sport=10020 dport=1030 [ASSURED]
# The connection is assured, because Asterisk is basically listening to everything on that port and changes the port it send the data back
# But my VoIP Provider is not that intelligent. :-((( F!
[NEW] udp      17 60 src=192.168.1.38 dst=62.52.147.185 sport=44608 dport=35642 [UNREPLIED] src=62.52.147.185 dst=114.XX.234.123 sport=35642 dport=1030
[NEW] udp      17 60 src=62.52.147.185 dst=114.XX.234.123 sport=35642 dport=44608 [UNREPLIED] src=114.XX.234.123 dst=62.52.147.185 sport=44608 dport=35642
[NEW] udp      17 60 src=62.52.147.185 dst=114.XX.234.123 sport=35643 dport=44609 [UNREPLIED] src=114.XX.234.123 dst=62.52.147.185 sport=44609 dport=35643
[NEW] udp      17 60 src=192.168.1.38 dst=62.52.147.185 sport=57890 dport=35643 [UNREPLIED] src=62.52.147.185 dst=114.XX.234.123 sport=35643 dport=57890
Please can anyone tell me what I am doing wrong? Is ther a switch somewhere to disable port mapping for the UDP protocol? (And have a real symmetric NAT?)

Please I need that fixed! Any help appreciated, even if you can point me to the responsible person for the conntrack module.

Thanks for any answer, SB.
 
Old 11-12-2012, 08:37 PM   #2
smartbyte
LQ Newbie
 
Registered: Nov 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
Please guys, I need some help with this!

Isn't there anyone who can help with this issue? I know it's pretty detailed, but doesn't anyone see the problem here?
If that is not fixed, you can forget VoIP,

then Linux NAT is the worst NAT you can get, which shouldn't be the case...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT issue with voip Net_Spy Linux - Networking 2 07-19-2011 08:42 AM
what is an iptable? & how to seperate the network on the basis of iptable vinod.wagh Linux - Networking 1 09-11-2008 01:28 AM
rpm, iptable issue nirmaltom DamnSmallLinux 2 03-07-2006 12:57 AM
SuSe 9.3 Firewall iptable issue Dralnu Linux - Security 1 08-13-2005 01:29 PM
IPTABLE Entries Issue Tinochelli Linux - Networking 1 12-10-2004 09:15 AM


All times are GMT -5. The time now is 05:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration