Iptables For SIP Talk To Other Port

Home » Asterisk Users » Iptables For SIP Talk To Other Port
Asterisk Users 5 Comments

I have a host 192.168.1.3 that wants to run SIP on 5068 (long story). My host is 192.168.10.201. My host needs to stay on 5060 because of all the other devices I have connected.

I tried putting portP68 in my SIP extension definition but that did not work.

So I thought about using iptables to accomplish this:

iptables -t nat -A PREROUTING -p tcp –dport 5068 -j REDIRECT –to-port 5060
iptables -t nat -A POSTROUTING -p tcp –dport 5060 -d 192.168.1.3 -j REDIRECT –to-port 5068

Do I not have the right format of the command?
Anything incoming destined for 5068 redirect to 5060… Anything going out to 192.168.1.3 and port 5060 redirect to 5068.

Seems like that should have worked?

Thoughts? sip show peers still says unreachable.

Thanks,

Jerry

5 thoughts on - Iptables For SIP Talk To Other Port

  • So I have in my SIP trunk. transport=tcp

    So correct my iptables line was specifying “-p tcp”

    I also set tcpenable=yes in sip.conf

    Thanks.

    Jerry

  • Don’t you want udp rather than tcp?

    Have a look at the iptables stats to see if any packets are hitting your rule. Also I think the source port from your host will be 5068 so your replies will be to the right port but you can double check

    tcpdump is also very useful here

    sudo tcpdump -i eth0 -n udp and host 192.168.1.3 should show you packets between your machine and your odd host

    Cheers Duncan

  • –Apple-Mail=_4A4FADFE-1478-4960-B670-B44956D22713
    Content-Transfer-Encoding: quoted-printable Content-Type: text/plain;
    charset=windows-1252

    Jerry has already clarified in a previous reply that he is running SIP over TCP, not UDP.
    
    But he hasn’t clarified on which machine he is applying the iptables header rewrite rules (10.201, or 1.3?).

    Either way though, it seems like a kludgy work-around. IMO, it’d be better to focus on creating the correct Asterisk peer configuration for the peer that is operating on the non-standard separate port, and don’t use any packet-header mangling at all.

    Jerry, can you post your configuration for the peer in Asterisk? (eg from sip.conf)

    Pete

    –Apple-Mail=_4A4FADFE-1478-4960-B670-B44956D22713
    Content-Transfer-Encoding: quoted-printable Content-Type: text/html;
    charset=windows-1252


    Jerry has already clarified in a previous reply that he is running SIP over TCP, not UDP.
    
    But he hasn’t clarified on which machine he is applying the iptables header rewrite rules (10.201, or 1.3?).

    Either way though, it seems like a kludgy work-around. IMO, it’d be better to focus on creating the correct Asterisk peer configuration for the peer that is operating on the non-standard separate port, and don’t use any packet-header mangling at all.

    Jerry, can you post your configuration for the peer in Asterisk? (eg from sip.conf)

    Pete





    I have a host 192.168.1.3 that wants to
    run SIP on 5068 (long story).My host is 192.168.10.201.


    My host needs to stay on 5060 because of all the other devices I
    have connected.




    I tried putting port=5068 in my SIP extension definition but
    that did not work.




    So I thought about using iptables to accomplish this:




    iptables -t nat -A PREROUTING  -p tcp –dport 5068              
     -j REDIRECT –to-port 5060


    iptables -t nat -A POSTROUTING -p tcp –dport 5060 -d
    192.168.1.3 -j REDIRECT –to-port 5068






    Do I not have the right format of the command?


    Anything incoming destined for 5068 redirect to 5060…


    Anything going out to 192.168.1.3 and port 5060 redirect to
    5068.




    Seems like that should have worked?




    Thoughts?  sip show peers still says unreachable.




    Thanks,




    Jerry 


    –Apple-Mail=_4A4FADFE-1478-4960-B670-B44956D22713