[Serusers] SER and rtpproxy in a DMZ

Hello, my name is Holger Moskopp and i'm Student at the FH Cologne. At the moment i'm working on my Thesis. I have to build a Firewall with DMZ and a SIP Expressrouter with RTPPROXY. This should look like this: -------------------------------------------------------- http://www.ganeymed.de/pixx/fw_ids/ser1.jpg -------------------------------------------------------- I'm in a Subnet of the FH and got on the I' in a Subnetz of the school and have installed on the computer xxx.22 fwclient a SER Registrar with RTPproxy and a Kphone softphone. On the internal SER there is a Kphone registered. (holleinnen). In the DMZ is a SER with rtpproxy. In the FH-Net there is a SER with Radius authentification and two softphones. Phil(a)xxx.73 <mailto:Phil@xxx.73> is registerd at that SER. holleaussen is registerd on another registrar that is not on the picture. If I want to call from holleinnen to phil, everything functions marvelously. The SIP signaling and the RTP-Traffic runs throuhg the DMZ. -------------------------------------------------------- http://www.ganeymed.de/pixx/fw_ids/ser2.jpg -------------------------------------------------------- Now to the problem: If I start a call from holleaussen to holleinnen the SIP phase , works perfectly thruh the DMZ. It rings inside and I can assume. After that nothing more happens. With tetereal and etheral I saw that the RTP traffic „wants“ to take the way directly from end to end. -------------------------------------------------------- http://www.ganeymed.de/pixx/fw_ids/ser4.jpg -------------------------------------------------------- Do you have an idea what is going wrong? I attached the two ser.cfg files because i think it is a mistake there. I tryed to fix that since 3 days now - but with no success. -------------------------------------------------------------- http://www.ganeymed.de/pixx/fw_ids/ser-dmz.txt http://www.ganeymed.de/pixx/fw_ids/ser-innen.txt --------------------------------------------------------------- Here is the relevant Firewallpart: $IPTABLES -N SIPLOG $IPTABLES -I FORWARD -p udp -i $DMZ_ETH --sport 1024:65535 -o $EXTERN_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j SIPLOG $IPTABLES -I FORWARD -p udp -i $EXTERN_ETH --sport 1024:65535 -o $DMZ_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j SIPLOG $IPTABLES -I FORWARD -p udp -i $INTERN_ETH --sport 1024:65535 -o $DMZ_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j SIPLOG $IPTABLES -I FORWARD -p udp -i $DMZ_ETH --sport 1024:65535 -o $INTERN_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j SIPLOG $IPTABLES -I SIPLOG -j LOG --log-prefix "SIPLOG: " $IPTABLES -A SIPLOG -j ACCEPT $IPTABLES -t nat -I PREROUTING -p udp -i $EXTERN_ETH --dport 5060:5062 -j DNAT --to $prox /(That changing only send the packets to prox but prox don#t take them: $IPTABLES -t nat -I PREROUTING -p udp -i $EXTERN_ETH --dport 1024:65535/ /-j DNAT --to prox) / I think a soulution could be to use the statefull iptabels filtering, but I don't like that solution. Thank you and best regards Holger Moskopp