Re: [sipx-users] iptables experts: port forwarding.

Michael Scheidell Fri, 20 Aug 2010 03:57:07 -0700

Perfect this needs to be in the wiki


--
Michael Scheidell, CTO
SECNAP Network Security

-----Original message-----
From: Sven Evensen <sven.even...@onrelay.com>

To: Tony Graziano <tgrazi...@myitdepartment.net>, Michael Scheidell<michael.scheid...@secnap.com>

Cc: sipx-users@list.sipfoundry.org
Sent: Fri, Aug 20, 2010 09:24:37 GMT+00:00
Subject: RE: [sipx-users] iptables experts: port forwarding.

We use iptables on several of our machines to overcome the fact that
ITSP cannot send on 5060,

works perfectly. Here is our setup:

# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

*nat

:OUTPUT ACCEPT [0:0]

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p udp --dport 5060 -s 217.37.32.162 -i eth+ -j DNAT --to
10.227.122.31:5080

COMMIT

________________________________

From: sipx-users-boun...@list.sipfoundry.org
[mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Tony
Graziano
Sent: 20 August 2010 08:18
To: Michael Scheidell
Cc: sipx-users@list.sipfoundry.org users
Subject: Re: [sipx-users] iptables experts: port forwarding.

The startup scriptfor sipx checks to see if iptables is running, because
it is automatically "problematic" if it is...

On Thu, Aug 19, 2010 at 11:14 PM, Michael Scheidell
<michael.scheid...@secnap.com> wrote:

It just occurred to me that sipx on centos has iptables.  maybe not
active, but its got it.

can I use iptables, internally, without involving natting to do
selective port forwarding.

example:private ip address of 192.168.0.2 sipx.secnap.com.public ip of ITSP: 4.2.2.2


I want to do something like this:

if traffic comes in from source ip 4.2.2.2  to 192.168.0.2:5060
redirect it to 192.168.0.2:5080
(assuming that the original firewall did the natting. pretend here isn't
one)

all other traffic to 192.168.0.2:5060 goes to 192.168.0.2:5080
all traffic to 192.168.0.2:5080 goes to 192.168.0.2:5080.

pretend I know lots about freebsd and ipfw and just tonight figures out
how to type 'iptables --list'
eg: tutor me.
I am thinking that if this can be done, it might make life easier for
people like me and mitchel who can't get the ITSP to send to port 5080.

before I take m live phone system offline, look here, several paragraphs
down:
<http://www.linuxquestions.org/questions/linux-networking-3/iptables-por
t-forwarding-599401/>
<http://www.linuxquestions.org/questions/linux-networking-3/iptables-por

t-forwarding-599401/>

they do something like this:



echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s *route_only_for_this_ip* -d
*router_ip* --dport 80 -j DNAT --to *destination_ip*:*destination_port*
iptables -t nat -A POSTROUTING -o eth0 -d *destination_ip* -j SNAT
--to-source *router_ip*


so, echo 1 > /proc/sys/net/ipv4/ip_forward (might not be needed)

butiptables -t nat -A PREROUTING -p tcp -s 4.2.2.2 -d localhost --dport

5060 -j DNAT to localhost:5080

--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300

| SECNAP Network Security Corporation


*       Certified SNORT Integrator
*       2008-9 Hot Company Award Winner, World Executive Alliance
*       Five-Star Partner Program 2009, VARBusiness
*       Best in Email Security,2010: Network Products Guide
*       King of Spam Filters, SC Magazine 2008



________________________________

This email has been scanned and certified safe by SpammerTrap(r).For Information please see http://www.secnap.com/products/spammertrap/


________________________________




_______________________________________________
sipx-users mailing list
sipx-users@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/




--
======================
Tony Graziano, Manager
Telephone: 434.984.8430
sip: tgrazi...@voice.myitdepartment.net
Fax: 434.984.8431

Email: tgrazi...@myitdepartment.net

LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: helpd...@voice.myitdepartment.net
Fax: 434.984.8427

Helpdesk Contract Customers:
http://www.myitdepartment.net/gethelp/

Why do mathematicians always confuse Halloween and Christmas?
Because 31 Oct = 25 Dec.




______________________________________________________________________

This email has been scanned and certified safe by SpammerTrap(r).For Information please see http://www.secnap.com/products/spammertrap/

______________________________________________________________________

_______________________________________________
sipx-users mailing list
sipx-users@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/

Re: [sipx-users] iptables experts: port forwarding.

Reply via email to