From SIPfoundry sipx, The Open Source SIP PBX for Linux - Calivia

Contents 1 SIP conntrack/NAT extension 1.1 Installation 1.1.1 Using SIP conntrack/NAT 1.2 Testing iptables 1.2.1 IPTState 1.2.2 conntrack 1.2.3 Use case 1: host-based firewall for sipX mediaserver

[edit] SIP conntrack/NAT extension

The SIP conntrack/NAT extension supports the connection tracking/NATing of the data streams requested on the dynamic RTP/RTCP ports of a SIP session, as well as mangling of SIP requests/responses.

SIP conntrack/NAT extension for netfilter/iptables is currently available from netfilter patch-o-matic.

SIP conntrack/NAT extension is available in the mainstream kernel as of 2.6.18.

Documentation is available here.

[edit] Installation

• Perform a backup of your current kernel, kernel sources and .config
• Download iptables snapshot from netfilter ftp site (iptables)
• Download patch-o-matic snapshot from netfilter ftp site (patch-o-matic-ng)
• Unpack iptables snapshot
• Unpack patch-o-matic-ng snapshot
• Create symlink for iptables and patch-o-matic-ng
• cd into patch-o-matic-ng directory
• Apply patch to kernel sources (./runme sip-conntrack-nat)
• Enable module (CONFIG_IP_NF_NAT_SIP=y and CONFIG_IP_NF_SIP=y or "Device drivers, Networking support, Networking options, Network packet filtering, IP: Netfilter configuration, SIP support)
• Build new kernel (make && make modules_install)
• Reboot
• Load SIP conntrack and NAT module (modprobe ip_conntrack_sip ip_nat_sip)
• Add rule for SIP signalling traffic (usually port 5060)

[edit] Using SIP conntrack/NAT

Load the modules

modprobe ip_conntrack_sip ip_nat_sip

Note: ip_conntrack_sip allows up to 8 SIP ports, separated by commas

modprobe ip_conntrack_sip ports=5060[,sip-port2[,sip-port3]]

Set IPtables filter rules

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT

Set IPtables NAT rules

iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source ip.add.dr.ess

[edit] Testing iptables

[edit] IPTState

IPTState is a top-like display of IPtables state table entries.

• IPTState project page
• IPTState Freshmeat page

[edit] conntrack

• IPtables conntrack news announcement

conntrack is a commandline program for listing, querying, deleting, updating entries in the connection tracking table. It also supports real-time tracing of connection tracking state changes (conntrack events).

[edit] Use case 1: host-based firewall for sipX mediaserver

The module has been successfully tested on a host running sipX mediaserver. After call setup, both udp ports are set up and kept alive until 30 seconds after call termination.