Configure iptables

Owned by Former user (Deleted)
Last updated: Feb 11, 2011 by Former user (Deleted)Version comment
2 min read

SIP conntrack/NAT extension

The SIP conntrack/NAT extension supports the connection tracking/NATing of the data streams requested on the dynamic RTP/RTCP ports of a SIP session, as well as mangling of SIP requests/responses.

SIP conntrack/NAT extension for netfilter/iptables is currently available from netfilter patch-o-matic.

SIP conntrack/NAT extension is available in the mainstream kernel as of 2.6.18.

Documentation is available here.

Installation

  • Perform a backup of your current kernel, kernel sources and .config
  • Download iptables snapshot from ftp://ftp.netfilter.org/pub/iptables/snapshot/
  • Download patch-o-matic snapshot from ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
  • Unpack iptables snapshot
  • Unpack patch-o-matic-ng snapshot
  • Create symlink for iptables and patch-o-matic-ng
  • cd into patch-o-matic-ng directory
  • Apply patch to kernel sources (./runme sip-conntrack-nat)
  • Enable module (CONFIG_IP_NF_NAT_SIP=y and CONFIG_IP_NF_SIP=y or "Device drivers, Networking support, Networking options, Network packet filtering, IP: Netfilter configuration, SIP support)
  • Build new kernel (make && make modules_install)
  • Reboot
  • Load SIP conntrack and NAT module (modprobe ip_conntrack_sip ip_nat_sip)
  • Add rule for SIP signalling traffic (usually port 5060)

Using SIP conntrack/NAT

Load the modules

modprobe ip_conntrack_sip ip_nat_sip

Note: ip_conntrack_sip allows up to 8 SIP ports, separated by commas

modprobe ip_conntrack_sip ports=5060

Set IPtables filter rules

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT

Set IPtables NAT rules

iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source ip.add.dr.ess

Testing iptables

IPTState

IPTState is a top-like display of IPtables state table entries.

  • IPTState project page
  • IPTState Freshmeat page

    conntrack

  • IPtables conntrack news announcement
    conntrack is a commandline program for listing, querying, deleting, updating entries in the connection tracking table. It also supports real-time tracing of connection tracking state changes (conntrack events).

    Use case 1: host-based firewall for sipX mediaserver

    The module has been successfully tested on a host running sipX mediaserver. After call setup, both udp ports are set up and kept alive until 30 seconds after call termination.