You're having fits with SIP traffic because it's difficult to get it past NAT firewalls. You could put your Asterisk server in your DMZ, if you have a spare routable public IP address. Or, you could use some kind of a SIP proxy, but those come with a different kind of pain. Can't you just schlep those SIP packets through your NAT-ed iptables firewall with connection tracking?
Yes, you can, thanks to the shiny new
iptables SIP connection-tracking module. It comes
with the 2.6.18 Linux kernel, or, you can use Netfilter's
Patch-O-Matic to apply it to older kernels. If you have a 2.6.18
kernel or newer, look in
/boot/config-[kernel
version] to see if SIP connection tracking is already
enabled. Look for:
CONFIG_IP_NF_NAT_SIP=y CONFIG_IP_NF_SIP=y
If you see those magic words, then all you need are a few iptables rules in your iptables script, and to load the kernel modules. This example is for a standalone NAT firewall and router that forwards your SIP traffic to a separate Asterisk server with a private IP address of 192.168.1.25, and follows the conventions in Chapter 3:
$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE --dport 5060 -j DNAT --to-destination 192.168.2.25:5060 $ipt -A FORWARD -p tcp -i $WAN_IFACE -o $DMZ_IFACE -d 192.168.2.25 --dport 5060 -j ACCEPT
These rules are for an Asterisk server with a public IP address that is directly exposed to the Internet:
$ipt -A INPUT -p udp --dport 5060 -j ACCEPT $ipt -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
Put this in your iptables script to load the modules:
modprobe ip_conntrack_sip modprobe ip_nat_sip
Reload your iptables rules, and you're in business.
If you don't have kernel support already, you can patch kernels back to version 2.6.11. You need complete kernel sources (not just headers), a 2.6.11 kernel or newer, and iptables sources. I'm going to skip how to set up a kernel build environment; please visit the See Also section for kernel building references.
Once you have a kernel build environment ready to go, fetch the current stable iptables source tarball from Netfilter.org (http://netfilter.org/projects/iptables/downloads.html).Verify the md5sum, and unpack the tarball into whatever directory you want.
Then, download the latest Patch-O-Matic (ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/snapshot). Verify the md5sum. Unpack the tarball into a directory of your choice, and change to its top-level directory. Apply the sip-conntrack-nat patch to the kernel sources with this command. You'll need to tell it the filepaths to your kernel and iptables sources:
$ ./runme sip-conntrack-nat
/home/carla/lib/iptables/
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux]
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables]
Welcome to Patch-o-matic ($Revision$)!You'll get some informational output, and then:
The SIP conntrack/NAT modules support the connection tracking/NATing of the data streams requested on the dynamic RTP/RTCP ports, as well as mangling of SIP requests/responses. ----------------------------------------------------------------- Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
Type y, and the patch is
applied.
Now, you must compile a new kernel. When you configure your kernel, be sure to select the SIP support option in Networking → Networking support → Networking options → Network packet filtering → IP: Netfilter Configuration.
Install the new kernel, make and reload your iptables rules, and you're in business.
You may install iptables sources with Yum on CentOS:
# yum install iptables-develOn Debian, run:
# apt-get install iptables-devEvery Linux distribution has its own kernel-building tools—Debian users can follow Chapter 7 of the Debian Reference Manual (http://www.debian.org/doc/manuals/reference/ch-kernel.en.html); CentOS (and Red Hat and Fedora) users can refer to the instructions in their release notes
Chapter 10, "Patching, Customizing, and Upgrading Kernels," in Linux Cook-book, by Carla Schroder (O'Reilly)
Appendix C