SIP conntrack/NAT extension

The SIP conntrack/NAT extension supports the connection tracking/NATing of the data streams requested on the dynamic RTP/RTCP ports of a SIP session, as well as mangling of SIP requests/responses.

SIP conntrack/NAT extension for netfilter/iptables is currently available from netfilter patch-o-matic.

SIP conntrack/NAT extension is available in the mainstream kernel as of 2.6.18.

Documentation is available here.

Installation

Perform a backup of your current kernel, kernel sources and .config
Download iptables snapshot from ftp://ftp.netfilter.org/pub/iptables/snapshot/
Download patch-o-matic snapshot from ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
Unpack iptables snapshot
Unpack patch-o-matic-ng snapshot
Create symlink for iptables and patch-o-matic-ng
cd into patch-o-matic-ng directory
Apply patch to kernel sources (./runme sip-conntrack-nat)
Enable module (CONFIG_IP_NF_NAT_SIP=y and CONFIG_IP_NF_SIP=y or "Device drivers, Networking support, Networking options, Network packet filtering, IP: Netfilter configuration, SIP support)
Build new kernel (make && make modules_install)
Reboot
Load SIP conntrack and NAT module (modprobe ip_conntrack_sip ip_nat_sip)
Add rule for SIP signalling traffic (usually port 5060)

Using SIP conntrack/NAT

Load the modules

modprobe ip_conntrack_sip ip_nat_sip

Note: ip_conntrack_sip allows up to 8 SIP ports, separated by commas

modprobe ip_conntrack_sip ports=5060

Set IPtables filter rules

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT

Set IPtables NAT rules

iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source ip.add.dr.ess

Testing iptables

IPTState

IPTState is a top-like display of IPtables state table entries.

IPTState project page
IPTState Freshmeat page
conntrack
IPtables conntrack news announcement
conntrack is a commandline program for listing, querying, deleting, updating entries in the connection tracking table. It also supports real-time tracing of connection tracking state changes (conntrack events).
Use case 1: host-based firewall for sipX mediaserver
The module has been successfully tested on a host running sipX mediaserver. After call setup, both udp ports are set up and kept alive until 30 seconds after call termination.

Browser not supported