Iptables On C5
Hi all,
I am trying to get iptables to work for me… I am running asterisk (11.23.0) on a C5 machine. Working fine on port 5060
udp. I have need to tcpenable=yes SIP and run that on port 5068. Since port 5060 is already running I was going to redirect 5068 to 5060.
So I thought I could use iptables to do that – but does not seem to be working.
192.168.10.201 is my machine, 192.168.1.3 is the other machine. 1.3 should connect to 10.201 on port 5068.
so I did:
iptables -t nat -A PREROUTING -p tcp -d 192.168.10.201 –dport 5068 -j REDIRECT –to-port 5060
iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.3 –dport
5060 -j REDIRECT –to-port 5068
This did not seem to work. iptable -t nat -L -n -v shows packets going out to
1.3 but “0” on the input for 5068.
So then I added
iptables -t nat -A OUTPUT -p tcp -d 192.168.10.201 –dport 5068 -j REDIRECT
–to-port 5060
iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 –dport 5068 -j REDIRECT
–to-port 5060
And still nothing on the input.
What have I missed ?
Thanks,
Jerry
One thought on - Iptables On C5
Oh, yuck. SIP includes information about an endpoint’s address and port in the payload of its data. The NAT helpers *should* rewrite that, but only if your payload isn’t encrypted. Asterisk can be configured with knowledge of its NATed address and port, but… Well, this all becomes kind of a mess.
It’s best to avoid NAT where ever possible, in general, but more so with SIP than with some other common protocols.
Is there a reason you can’t configure asterisk to connect to
192.168.1.3:5068, without using NAT? And the reverse? Can 192.168.1.3
not connect to 5060?
And if you’re not seeing packets hit that rule, are you really sure
192.168.1.3 is sending packets to 192.168.10.201 port 5068? Do you see them using a diagnostic tool like tcpdump?
The output chain with a destination address of the local machine? I’m not really sure what you’re trying to do here.