LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-22-2010, 11:41 AM   #1
machu_nair
LQ Newbie
 
Registered: Nov 2010
Posts: 1

Rep: Reputation: 0
Conntrack - Iptables - SIP


Hi Everyone,

Have a VoIP network with VoIP/SIP soft clients behind a Linux Firewall(CentOS 5.5) running Conntrakd and iptables.

i have SIP port enabled and a DNAT rule to allow incoming connections on Port X directly re-routed to the client that is listening on port Y.

When the client registers to a Registrar on the public internet, all SIP responses are allowed by the firewall and forwarded to the client. Incoming call attempts(INVITE) is also allowed because it comes from the same Registrar. NAT/PAT is done correctly using random ports but if it is the first time, it sticks with 5060.

However, when I send a message from a different server to the same port(public IP address/port of the firewall that was sent in the SIP REGISTER message), it does not get NAT/PAT and the firewall drops it with an ICMP host not reachable(port not reachable) error code.

The conntrack module shows this connection as REPLIED while The connection to the Registrar shows as ASSURED. An attempt to manually change the state also gave an error.

Is there a way to have the state-full firewall, and at the same time have conntrack/iptables not drop the incoming packet from a different address? Any/All assistance is greatly appreciated.

Thanks in advance
Nair
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables & Kernel Config To Do Conntrack of Bittorrent Traffic mrmnemo Linux - Networking 21 08-05-2010 08:04 AM
IPTables/Conntrack MikeQ Linux - Server 1 08-04-2009 02:02 PM
Using sip-conntrack-nat batrams Slackware 1 11-21-2008 08:53 AM
iptables conntrack concepts question eantoranz Linux - Networking 0 01-06-2005 09:59 AM
iptables & conntrack f1uke Linux - Security 2 12-02-2003 11:11 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration