[Techtalk] IPtables help (VoIP related)
Colleen Hatfield
evilpig at gmail.com
Thu Sep 23 15:59:28 EST 2004
Sorry Elwing, didn't send to list first time :-(
On Thu, 23 Sep 2004 16:14:58 -0400, Elwing <elwing at elwing.org> wrote:
<snip>
> When I call the phone, the VoIP phone *always* makes a outgoing UDP
> connection to 216.181.30.7 with source port 13457, but the destination
> port is kind of a crap shoot - in my playing around, it's been as low as
> 37867 all the way up to 64213.
>
> Is there anyway using IPtables to open up those ports to the VoIP box
> once the packet's gone through? I'm not sure that this would help as I
> get no apparent connections incoming from the SIP server.
>
> The "short' version of a call (as seen from the outside interface) is:
> ender:/etc/init.d# tcpdump -i eth1 net 216.181
> tcpdump: listening on eth1
> ###### Initiate phone call to VoIP phone number #######
> 14:58:08.393818 216.181.30.7.5060 > elwing.org.5060: udp 686 [tos 0x20]
> 14:58:08.492640 elwing.org.5060 > 216.181.30.7.5060: udp 336
> 14:58:08.590688 elwing.org.5060 > 216.181.30.7.5060: udp 396
> 14:58:10.426327 elwing.org.13457 > 216.181.30.7.38205: udp 32 [tos 0xb8]
> 14:58:13.426148 elwing.org.13457 > 216.181.30.7.38205: udp 32 [tos 0xb8]
> 14:58:16.426244 elwing.org.13457 > 216.181.30.7.38205: udp 32 [tos 0xb8]
> 14:58:19.426320 elwing.org.13457 > 216.181.30.7.38205: udp 32 [tos 0xb8]
> 14:58:22.426431 elwing.org.13457 > 216.181.30.7.38205: udp 32 [tos 0xb8]
> 14:58:25.426502 elwing.org.13457 > 216.181.30.7.38205: udp 32 [tos 0xb8]
> 14:58:26.398368 216.181.30.7.5060 > elwing.org.5060: udp 363 [tos 0x20]
> 14:58:26.463934 elwing.org.5060 > 216.181.30.7.5060: udp 347
> 14:58:26.472311 elwing.org.5060 > 216.181.30.7.5060: udp 362
> 14:58:26.568151 216.181.30.7.5060 > elwing.org.5060: udp 354 [tos 0x20]
> ##### Get voicemail and hang up ########
> 14:58:48.391524 elwing.org.5060 > 216.181.30.7.5060: udp 393
> 14:58:48.488937 216.181.30.7.5060 > elwing.org.5060: udp 372 [tos 0x20]
You may have already tried this (I don't know what's in your iptables
script), but if I'm correctly understanding the problem it looks to me
like a state match would take care of it.
Something like:
# Allow the phone to make send packets of any port/proto to that IP:
iptables -A FORWARD -s 192.168.0.4 -d 216.181.30.7 -j ACCEPT
# Allow the return traffic back in:
iptables -A FORWARD -s 216.181.30.7 -m state --state
ESTABLISHED,RELATED -j ACCEPT
- Colleen
More information about the Techtalk
mailing list