AW: [Shorewall-users] SIP VoIP Config Question

Sascha Knific knific at k-sysdes.net
Thu Mar 4 08:01:46 PST 2004


Hi Andrei

so what is the result? Is it that´s basicly working, you can hear the
other but the other doesn´t hear you? With every client software you
have tried?

Try checking your shorewall log while your are placing a call ("tail -f
/var/log/messages") and check for rejected or drop packets.

Try port forwarding to you SIP client.

rules
-----
DNAT	net	loc:<IP Address of your SIP client>		udp
5060
DNAT	net	loc:<IP Address of your SIP client>		udp
8000:8010
-----

Or read this: http://www.sipcenter.com/files/SIPNATtraversal.pdf

I haven´t read it myself but it should help you.

If you are going to use multiple SIP clients/phones in your internal
network consider placing a SIP proxy inbetween. It makes some things
easier.

Regards
Sascha

-------------------------------------------------------
Sascha Knific           K Systems & Design
Tel. +49-8151-773260    Wittelsbacherstr. 6a
Fax. +49-8151-773262    82319 Starnberg, Germany
knific at k-sysdes.net     http://www.k-sysdes.net


> -----Ursprüngliche Nachricht-----
> Von: shorewall-users-bounces at lists.shorewall.net
[mailto:shorewall-users-
> bounces at lists.shorewall.net] Im Auftrag von Andrei Verovski (aka
MacGuru)
> Gesendet: Donnerstag, 4. März 2004 16:26
> An: Mailing List for Experienced Shorewall Users
> Betreff: Re: AW: [Shorewall-users] SIP VoIP Config Question
> 
> Hi, Sascha,
> 
> Thank you very much for reply. I have put a comment below...
> 
> On Mar 4, 2004, at 16:41, Sascha Knific wrote:
> 
> > Hi Andrei
> >
> > There is nothing wrong with shorewall but with your configuration.
> >
> >> -------------
> >> ---   masq   ---
> >> -------------
> >> eth0	eth1	62.85.100.103
> >
> > So your internal LAN is behind a SNAT.
> >
> 
> SIP clients should work behind SNAT. I have specified NAT address in
> SIP client prefs.
> 
> 
> >> ------------
> >> --- policy ----
> >> ------------
> >> loc		net		ACCEPT
> >> fw		net		ACCEPT
> >> fw		loc		ACCEPT
> >> net		all		DROP		info
> >>
> >> # THE FOLLOWING POLICY MUST BE LAST
> >> all		all		REJECT		info
> >
> > Fine.
> >
> >> -------------
> >> ---   rules   ---
> >> ------------
> >> # SIP Client Ports
> >>
> >> ACCEPT	loc	net	tcp	5060	5060
> >> ACCEPT	loc	net	udp	5060	5060
> >> ACCEPT	loc	net	udp	8000:8020	8000:8020
> >
> > Why are you doing this? Look at the first rule of your policy file.
So
> > we can take out this three lines.
> 
> The rule (which allows all connections from loc to net) will be
changed
> in the future, when I will finish SIP setup..
> 
> >
> >> ACCEPT	net	loc	tcp	5060	5060
> >> ACCEPT	net	loc	udp	5060	5060
> >> ACCEPT	net	loc	udp	8000:8020	8000:8020
> >
> > This three lines are also not necessary as your SIP clients & phones
> > register with SER. So take them out. They make really no sense in
your
> > configuration.
> 
> OK.
> 
> >
> >> ACCEPT	net	fw	tcp	5060	5060
> >> ACCEPT	net	fw	udp	5060	5060
> >> ACCEPT	net	fw	udp	8000:8020	8000:8020
> >
> > Do you have any SIP software running ON your firewall? If not then
take
> > out these three lines.
> >
> 
> Yes, I have tried to run SIP client (linphone and kphone) on firewall
> machine. Does not work either.
> 
> > And then try again and report.
> >
> > Sascha
> >
> 
> Well, the problem is that NONE of my rules block or disturb SIP. I
> think I have missed something, but cannot understand what. I have
tried
> SIP clients from Mac, Win and Linux, with the same result.
> 
> 
> *********************************************
> *   Best Regards   ---   Andrei Verovski
> *
> *   Personal Home Page
> *   http://snow.prohosting.com/guru4mac/
> *   Mac, Linux, DTP, Development, IT WEB Site
> *********************************************
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm



More information about the Shorewall-users mailing list