SIP connection tracking and NATi [1] for Netfilter.
Christian Hentschel
chentschel at people.netfilter.org
2005-04-09
The SIP conntrack/NAT extension support the connection tracking/NATing of the data streams requested on the dynamic RTPi [2]/RTCPi [3] ports of a SIP session, as well as mangling of SIP requests/responses.
This few lines explains howto configure Netfilter framework to get this ALGi [4] work.
Download
The lastest patches are maintained in the Netfiler patch-o-matic-ng [5] subversion repositoryi [6].
Get the latest svn snapshot from:
Applying sip-conntrack-nat patches.
Simply do ./runme sip-conntrack-nat in the directory containing the package's source code.
You'll have to compile the kernel modules, selecting the 'SIP support' option in the kernel configuration menu.
note: This assumes that you already have Linux >= 2.6.11 kernel [8] and iptables [9] sources in your box. patch-o-matic needs them.
To get more information about Netfilter extensions, see the Netfilter Extensions HOWTO [10]
Using sip-conntrack-nat
Once you've recompiled the kernel, make sure you load the modules.
Wookie:/home/chentschel#modprobe ip_conntrack_sip ip_nat_sip
Wookie:/home/chentschel# lsmod | grep ip_nat_sip
ip_nat_sip 4288 0
ip_conntrack_sip 6544 1 ip_nat_sip
iptable_nat 20444 1 ip_nat_sip
ip_conntrack 38808 3 ip_nat_sip,ip_conntrack_sip,iptable_nat
Wookie:/home/chentschel#
Netfilter will take care of the conntracking and NAT of SIP packets now, but don't forget the iptables rules. Examples as follows:
Set iptables rules to allow UDP packets on port 5060:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
And NAT as follows:
iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 200.68.89.15
(C) 2005 Christian Hentschel. Licenced under the GNU GPL.