SIP connection tracking and NAT for Netfilter

SIP connection tracking and NATi for Netfilter.

Christian Hentschel

The SIP conntrack/NAT extension support the connection tracking/NATing of the data streams requested on the dynamic RTPi/RTCPi ports of a SIP session, as well as mangling of SIP requests/responses.

This few lines explains howto configure Netfilter framework to get this ALGi work.


The lastest patches are maintained in the Netfiler patch-o-matic-ng subversion repositoryi.

Get the latest svn snapshot from:

Applying sip-conntrack-nat patches.

Simply do ./runme sip-conntrack-nat in the directory containing the package's source code.
You'll have to compile the kernel modules, selecting the 'SIP support' option in the kernel configuration menu.

note: This assumes that you already have Linux >= 2.6.11 kernel and iptables sources in your box. patch-o-matic needs them.

To get more information about Netfilter extensions, see the Netfilter Extensions HOWTO

Using sip-conntrack-nat

Once you've recompiled the kernel, make sure you load the modules.

        Wookie:/home/chentschel#modprobe ip_conntrack_sip ip_nat_sip

        Wookie:/home/chentschel# lsmod | grep ip_nat_sip
        ip_nat_sip              4288  0
        ip_conntrack_sip        6544  1 ip_nat_sip
        iptable_nat            20444  1 ip_nat_sip
        ip_conntrack           38808  3 ip_nat_sip,ip_conntrack_sip,iptable_nat


Netfilter will take care of the conntracking and NAT of SIP packets now, but don't forget the iptables rules. Examples as follows:

Set iptables rules to allow UDP packets on port 5060:

        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -p udp --dport 5060 -j ACCEPT

And NAT as follows:

        iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
        iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

(C) 2005 Christian Hentschel. Licenced under the GNU GPL.

Home |  Recent changes |  Search |  Glossary |  Sitemap |  Login