Hello,
my name is Holger Moskopp and i'm Student at the FH Cologne. At the moment i'm working on my Thesis.
I have to build a Firewall with DMZ and a SIP Expressrouter with RTPPROXY. This should look like this:
-------------------------------------------------------- http://www.ganeymed.de/pixx/fw_ids/ser1.jpg --------------------------------------------------------
I'm in a Subnet of the FH and got on the
I' in a Subnetz of the school and have installed on the computer xxx.22 fwclient a SER Registrar with RTPproxy and a Kphone softphone. On the internal SER there is a Kphone registered. (holleinnen). In the DMZ is a SER with rtpproxy. In the FH-Net there is a SER with Radius authentification and two softphones.
Phil@xxx.73 mailto:Phil@xxx.73 is registerd at that SER. holleaussen is registerd on another registrar that is not on the picture.
If I want to call from holleinnen to phil, everything functions marvelously. The SIP signaling and the RTP-Traffic runs throuhg the DMZ.
-------------------------------------------------------- http://www.ganeymed.de/pixx/fw_ids/ser2.jpg --------------------------------------------------------
Now to the problem: If I start a call from holleaussen to holleinnen the SIP phase , works perfectly thruh the DMZ. It rings inside and I can assume. After that nothing more happens. With tetereal and etheral I saw that the RTP traffic „wants“ to take the way directly from end to end.
-------------------------------------------------------- http://www.ganeymed.de/pixx/fw_ids/ser4.jpg --------------------------------------------------------
Do you have an idea what is going wrong? I attached the two ser.cfg files because i think it is a mistake there. I tryed to fix that since 3 days
now - but with no success.
-------------------------------------------------------------- http://www.ganeymed.de/pixx/fw_ids/ser-dmz.txt
http://www.ganeymed.de/pixx/fw_ids/ser-innen.txt ---------------------------------------------------------------
Here is the relevant Firewallpart:
$IPTABLES -N SIPLOG
$IPTABLES -I FORWARD -p udp -i $DMZ_ETH --sport 1024:65535 -o $EXTERN_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j SIPLOG $IPTABLES -I FORWARD -p udp -i $EXTERN_ETH --sport 1024:65535 -o $DMZ_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j SIPLOG $IPTABLES -I FORWARD -p udp -i $INTERN_ETH --sport 1024:65535 -o $DMZ_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j SIPLOG $IPTABLES -I FORWARD -p udp -i $DMZ_ETH --sport 1024:65535 -o $INTERN_ETH --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j SIPLOG
$IPTABLES -I SIPLOG -j LOG --log-prefix "SIPLOG: " $IPTABLES -A SIPLOG -j ACCEPT
$IPTABLES -t nat -I PREROUTING -p udp -i $EXTERN_ETH --dport 5060:5062 -j DNAT --to $prox
/(That changing only send the packets to prox but prox don#t take them: $IPTABLES -t nat -I PREROUTING -p udp -i $EXTERN_ETH --dport 1024:65535/ /-j DNAT --to prox) / I think a soulution could be to use the statefull iptabels filtering, but I don't like that solution.
Thank you and best regards Holger Moskopp
-
Holger Moskopp