[Serusers] SER in iptables NAT box

Quite a few people have a hard time in finding working solutions for SIP in NAT environments. I have successfully tried a setup where SER resides in an iptables NAT box. In this case, the tricky part is the iptables config (since no netfilter SIP ALG exists yet), so I thought I'd share a working iptables config wrt SER and UAs behind the NAT. As far as I have seen both SER and the UAs work fine with this setup. /Lasse * SCENARIO: - You have an iptables NAT box with one public IP address and a privately addressed LAN inside - SER resides in the NAT box - You use UAs where it is possible for you to select what ports to use for SIP and media (.e.g. KPhone or X-Lite) - The UAs use STUN or some other means that results in having the public IP address in SDP - THE UAs use UDP for SIP and media - SER is reachable via both UDP and TCP from the Internet and the LAN * NAT/IPTABLES ASSUMPTIONS - All chains have a default policy = DENY to start with - The machines on the internal LAN have unresticted access to the NAT box through appropriate rules - You have configured appropriate spoofing filters - You are not worried about having permanent openings through the NAT to your LAN machines * IPTABLES CONFIG # Variables - may provide rule statements which are more easy to read, but aren't necessary EXTERNAL_INTERFACE=<insert the device name of your Internet i/f here> # example EXTERNAL_INTERFACE="eth0" IPADDR=<insert your public IP here, or the command you use to dig it out> # pseudo example: IPADDR="a.b.c.d." SIP_UA_HOST_1=<insert the private IP of the relevant host on your private LAN> # example SIP_UA_HOST_1="192.168.0.1" SIP_PORT_1=<insert the desired SIP port for SIP_UA_HOST_1 here. NOT port 5060 which is used by SER> # example SIP_PORT_1="5062" M_PORT_1=<insert the desired media port for SIP_UA_HOST_1 here> # example M_PORT_1="37000" # Ports above the well known ports (see www.iana.org/assignments/port-numbers) UNPRIVPORTS="1024:" # ------------------------------------------------------------------------------------ # SIP SERVER PART iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR --destination-port 5060 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \ -s $IPADDR --source-port 5060 -j ACCEPT iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \ -d $IPADDR --destination-port 5060 -j ACCEPT iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR --source-port 5060 -j ACCEPT # ------------------------------------------------------------------------------------ # SIP_UA_HOST_1, repeat with appropriate replacements of hosts and port numbers for each host on private LAN # ------------ Part 1: Provides forwarding of media to SIP_UA_HOST_1 from both Internet and LAN UAs iptables -A PREROUTING -t nat -p udp --source-port $UNPRIVPORTS \ -d $IPADDR --destination-port $M_PORT_1 -j DNAT --to $SIP_UA_HOST_1 iptables -A FORWARD -p udp -d $SIP_UA_HOST_1 --destination-port $M_PORT_1 \ -j ACCEPT # ------------ Part 2 # a): Prerequisite for correct forwarding of SIP messages to SIP_UA_HOST_1 from both Internet and LAN UAs iptables -A PREROUTING -t nat -p udp -d $IPADDR --destination-port \ $SIP_PORT_1 -j DNAT --to $SIP_UA_HOST_1 # b): Prerequisite for correct forwarding of SIP messages to SIP_UA_HOST_1 from SER (e.g. an INVITE) iptables -A OUTPUT -t nat -p udp -s $IPADDR --source-port 5060 \ -d $IPADDR --destination-port $SIP_PORT_1 -j DNAT --to $SIP_UA_HOST_1 # c): Allows the actual packet forwarding of SIP messages to SIP_UA_HOST_1 iptables -A FORWARD -p udp -d $SIP_UA_HOST_1 --destination-port $SIP_PORT_1 \ -j ACCEPT # ------------------------------------------------------------------------------------ * REFERENCES 1. The netfilter/iptables project homepage, see http://www.netfilter.org/ 2. OpenNA Inc. provides useful books on building and configuring Linux hosts, including iptables. see e.g. http://www.openna.com/products/books/sol/solus.php