Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-22-2010, 10:41 AM   #1
LQ Newbie
Registered: Nov 2010
Posts: 1

Rep: Reputation: 0
Conntrack - Iptables - SIP

Hi Everyone,

Have a VoIP network with VoIP/SIP soft clients behind a Linux Firewall(CentOS 5.5) running Conntrakd and iptables.

i have SIP port enabled and a DNAT rule to allow incoming connections on Port X directly re-routed to the client that is listening on port Y.

When the client registers to a Registrar on the public internet, all SIP responses are allowed by the firewall and forwarded to the client. Incoming call attempts(INVITE) is also allowed because it comes from the same Registrar. NAT/PAT is done correctly using random ports but if it is the first time, it sticks with 5060.

However, when I send a message from a different server to the same port(public IP address/port of the firewall that was sent in the SIP REGISTER message), it does not get NAT/PAT and the firewall drops it with an ICMP host not reachable(port not reachable) error code.

The conntrack module shows this connection as REPLIED while The connection to the Registrar shows as ASSURED. An attempt to manually change the state also gave an error.

Is there a way to have the state-full firewall, and at the same time have conntrack/iptables not drop the incoming packet from a different address? Any/All assistance is greatly appreciated.

Thanks in advance


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables & Kernel Config To Do Conntrack of Bittorrent Traffic mrmnemo Linux - Networking 21 08-05-2010 07:04 AM
IPTables/Conntrack MikeQ Linux - Server 1 08-04-2009 01:02 PM
Using sip-conntrack-nat batrams Slackware 1 11-21-2008 07:53 AM
iptables conntrack concepts question eantoranz Linux - Networking 0 01-06-2005 08:59 AM
iptables & conntrack f1uke Linux - Security 2 12-02-2003 10:11 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:11 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration