Quite a few people have a hard time in finding working solutions for SIP in NAT environments.
I have successfully tried a setup where SER resides in an iptables NAT box. In this case, the tricky part is the iptables config (since no netfilter SIP ALG exists yet), so I thought I'd share a working iptables config wrt SER and UAs behind the NAT.
As far as I have seen both SER and the UAs work fine with this setup.
/Lasse
* SCENARIO: - You have an iptables NAT box with one public IP address and a privately addressed LAN inside - SER resides in the NAT box - You use UAs where it is possible for you to select what ports to use for SIP and media (.e.g. KPhone or X-Lite) - The UAs use STUN or some other means that results in having the public IP address in SDP - THE UAs use UDP for SIP and media - SER is reachable via both UDP and TCP from the Internet and the LAN
* NAT/IPTABLES ASSUMPTIONS - All chains have a default policy = DENY to start with - The machines on the internal LAN have unresticted access to the NAT box through appropriate rules - You have configured appropriate spoofing filters - You are not worried about having permanent openings through the NAT to your LAN machines
* IPTABLES CONFIG # Variables - may provide rule statements which are more easy to read, but aren't necessary
EXTERNAL_INTERFACE=<insert the device name of your Internet i/f here> # example EXTERNAL_INTERFACE="eth0"
IPADDR=<insert your public IP here, or the command you use to dig it out> # pseudo example: IPADDR="a.b.c.d."
SIP_UA_HOST_1=<insert the private IP of the relevant host on your private LAN> # example SIP_UA_HOST_1="192.168.0.1"
SIP_PORT_1=<insert the desired SIP port for SIP_UA_HOST_1 here. NOT port 5060 which is used by SER> # example SIP_PORT_1="5062"
M_PORT_1=<insert the desired media port for SIP_UA_HOST_1 here> # example M_PORT_1="37000"
# Ports above the well known ports (see www.iana.org/assignments/port-numbers) UNPRIVPORTS="1024:"
# ------------------------------------------------------------------------------------ # SIP SERVER PART
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR --destination-port 5060 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR --source-port 5060 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -d $IPADDR --destination-port 5060 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR --source-port 5060 -j ACCEPT # ------------------------------------------------------------------------------------
# SIP_UA_HOST_1, repeat with appropriate replacements of hosts and port numbers for each host on private LAN
# ------------ Part 1: Provides forwarding of media to SIP_UA_HOST_1 from both Internet and LAN UAs
iptables -A PREROUTING -t nat -p udp --source-port $UNPRIVPORTS \ -d $IPADDR --destination-port $M_PORT_1 -j DNAT --to $SIP_UA_HOST_1
iptables -A FORWARD -p udp -d $SIP_UA_HOST_1 --destination-port $M_PORT_1 \ -j ACCEPT
# ------------ Part 2
# a): Prerequisite for correct forwarding of SIP messages to SIP_UA_HOST_1 from both Internet and LAN UAs
iptables -A PREROUTING -t nat -p udp -d $IPADDR --destination-port \ $SIP_PORT_1 -j DNAT --to $SIP_UA_HOST_1
# b): Prerequisite for correct forwarding of SIP messages to SIP_UA_HOST_1 from SER (e.g. an INVITE)
iptables -A OUTPUT -t nat -p udp -s $IPADDR --source-port 5060 \ -d $IPADDR --destination-port $SIP_PORT_1 -j DNAT --to $SIP_UA_HOST_1
# c): Allows the actual packet forwarding of SIP messages to SIP_UA_HOST_1
iptables -A FORWARD -p udp -d $SIP_UA_HOST_1 --destination-port $SIP_PORT_1 \ -j ACCEPT
# ------------------------------------------------------------------------------------
* REFERENCES
1. The netfilter/iptables project homepage, see http://www.netfilter.org/
2. OpenNA Inc. provides useful books on building and configuring Linux hosts, including iptables. see e.g. http://www.openna.com/products/books/sol/solus.php