I understand that the iptables SIP ALG has been much revised this year although I have not tested it myself. I believe you need at least linux 2.6.25.
On Monday 21 July 2008, Joris Dobbelsteen wrote: > Neill Wilkinson wrote: > > If you are using IPtables and are familiar with how to add modules - > > there is a sip connection tracking module that might help: > > > > http://people.netfilter.org/chentschel/docs/sip-conntrack-nat.html > > > > Neill...;o) > > > > Neill Wilkinson > > Principal Consultant > > > > Aeonvista Ltd - opening up new ideas > > I have that installed, but to the outside the SIP packets still carry > the LAN IP address. I'm currently missing audio (at least inbound is > nowhere to be seen) and it doesn't really work reliable at this moment. > That is a real problem currently and must be solved reliably. > > The ZyXEL modem I have was intended to be the NAT router for the > network, but its configured differently in my case, so I can't make that > thing to play nicely with NAT. > > lsmod on the firewall: > ip_nat_sip 8832 0 > ip_conntrack_sip 13392 1 ip_nat_sip > > Thanks so far, > > - Joris > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Joris Dobbelsteen > > Sent: 21 July 2008 21:10 > > To: [email protected] > > Subject: [OpenSER-Users] OpenSER as NAT traversal proxy HELP! > > > > Dear, > > > > I'm really trying to use OpenSER as a NAT traversal SIP proxy, since my > > home phone keeps breaking voice channels (the box was not intended > > behind NAT and I'm, of course, using a configuration that no so well > > supported). > > > > What is the idea: > > > > SIP transactions should travel this way: > > ZyXEL UA <-> SIP Proxy <-> NAT Firewall (iptables) <-> {Internet} > > > > RTP should travel this way: > > ZyXEL UA <-> NAT Firewall & RTPProxy <-> {Internet} > > > > > > My current test is using X-Lite with voipbuster, but that doesn't really > > work. It seems that registers are functioning, at least X-Lite reports > > itself being registered. > > Voice calls always end up in timeouts, so something is really going > > wrong here, it might be authentication problems? > > > > An added problem is that I have just sufficient knowledge of SIP to see > > what it is doing, without really knowing what to expect exactly. > > Furthermore I have virtually no knowledge of OpenSER. I've quite a hard > > time even grasping the configuration I typed in. This is not really > > helpful > > > > What I do know: > > * SIP Proxy traffic is flowing. > > * SIP INVITES don't work at all. > > * SIP to RTP is communication, but I don't know if RTP is actually > > flowing. > > > > I stole most of the configuration from the "04 NAT Traversal" slides of > > the "Italy 2007 Admin course", to which there is link on the > > documentation site. I adapted it to make it work with the debian > > supplied OpenSER 1.1. > > > > How do I get this all working? > > What am I getting wrong? > > > > I really really appeciate any help I can get to get it working! > > > > - Joris > > > > > > Config is this: > > # ----------- global configuration parameters ------------------------ > > > > debug=4 # debug level (cmd line: -dddddddddd) > > fork=yes # Set to no to enter debugging mode > > log_stderror=no # (cmd line: -E) Set to yes to enter debugging mode > > > > check_via=no # (cmd. line: -v) > > dns=no # (cmd. line: -r) > > rev_dns=no # (cmd. line: -R) > > advertised_address="82.168.191.xx" > > advertised_port=5060 > > port=5060 > > children=4 > > fifo="/tmp/openser_fifo" > > > > # > > # ------------------ module loading ---------------------------------- > > > > # Uncomment this if you want to use SQL database > > mpath="/usr/lib/openser/modules/" > > loadmodule "mysql.so" > > loadmodule "sl.so" > > loadmodule "tm.so" > > loadmodule "rr.so" > > loadmodule "maxfwd.so" > > loadmodule "usrloc.so" > > loadmodule "registrar.so" > > loadmodule "textops.so" > > loadmodule "nathelper.so" > > > > # Uncomment this if you want digest authentication > > # mysql.so must be loaded ! > > loadmodule "auth.so" > > loadmodule "auth_db.so" > > > > # ----------------- setting module-specific parameters --------------- > > > > # -- usrloc params -- > > > > modparam("usrloc", "db_mode", 0) > > > > # Uncomment this if you want to use SQL database > > # for persistent storage and comment the previous line > > #modparam("usrloc", "db_mode", 2) > > > > # -- auth params -- > > # Uncomment if you are using auth module > > # > > modparam("auth_db", "calculate_ha1", yes) > > # > > # If you set "calculate_ha1" parameter to yes (which true in this > > config), # uncomment also the following parameter) > > # > > modparam("auth_db", "password_column", "password") > > > > # -- rr params -- > > # add value to ;lr param to make some broken UAs happy > > modparam("rr", "enable_full_lr", 1) > > > > # -- nathelper params --- > > modparam("nathelper", "rtpproxy_sock", "udp:192.168.10.6:22222") > > modparam("nathelper", "natping_interval", 30) > > modparam("nathelper", "ping_nated_only", 1) > > #modparam("nathelper", "sipping_bflag", 7) > > modparam("nathelper", "sipping_from", "sip:[EMAIL PROTECTED]") > > > > # ------------------------- request routing logic ------------------- > > > > # main routing logic > > > > route{ > > > > # initial sanity checks -- messages with > > # max_forwards==0, or excessively long requests > > if (!mf_process_maxfwd_header("10")) { > > sl_send_reply("483","Too Many Hops"); > > exit; > > }; > > > > if (msg:len >= 2048 ) { > > sl_send_reply("513", "Message too big"); > > exit; > > }; > > > > # NAT detection > > route(2); > > > > # we record-route all messages -- to make sure that > > # subsequent messages will go through our proxy; that's > > # particularly good if upstream and downstream entities > > # use different transport protocol > > if (!method=="REGISTER") > > record_route(); > > > > # subsequent messages withing a dialog should take the > > # path determined by record-routing > > if (loose_route()) { > > # mark routing logic in request > > append_hf("P-hint: rr-enforced\r\n"); > > route(1); > > }; > > > > if (!uri==myself) { > > # mark routing logic in request > > append_hf("P-hint: outbound\r\n"); > > # if you have some interdomain connections via TLS > > #if(uri=~"@tls_domain1.net") { > > # t_relay("tls:domain1.net"); > > # exit; > > #} else if(uri=~"@tls_domain2.net") { > > # t_relay("tls:domain2.net"); > > # exit; > > #} > > route(1); > > }; > > > > # if the request is for other domain use UsrLoc > > # (in case, it does not work, use the following command > > # with proper names and addresses in it) > > if (uri==myself) { > > > > if (method=="REGISTER") { > > > > # Uncomment this if you want to use digest > > authentication > > if (!www_authorize("sip.familiedobbelsteen.nl", > > "subscriber")) { > > > > www_challenge("sip.familiedobbelsteen.nl", "0"); > > exit; > > }; > > > > if (isflagset(5)) { > > # set branch flag -- when someone will > > call this user > > # INVITE will have branch flag 6 set > > after loopup("location") > > setflag(6); > > # if you want OPTIONS natpings > > uncomment next > > # setflag(7); > > }; > > > > save("location"); > > exit; > > }; > > > > lookup("aliases"); > > if (!uri==myself) { > > append_hf("P-hint: outbound alias\r\n"); > > route(1); > > }; > > > > # native SIP destinations are handled using our USRLOC > > DB if (!lookup("location")) { > > sl_send_reply("404", "Not Found"); > > exit; > > }; > > append_hf("P-hint: usrloc applied\r\n"); > > }; > > > > route(1); > > } > > > > > > route[1] { > > # send it out now; use stateful forwarding as it works reliably > > # even for UDP2TCP > > if (subst_uri('/(sip:.*);nat=yes/\1/i')) { > > setflag(6); > > }; > > > > if (isflagset(5) || isflagset(6)) { > > route(3); > > }; > > > > if (!t_relay()) { > > sl_reply_error(); > > }; > > exit; > > } > > > > route[2] { > > force_rport(); > > if(nat_uac_test("19")) { > > if (method=="REGISTER") { > > fix_nated_register(); > > } else { > > fix_nated_contact(); > > }; > > setflag(5); > > }; > > } > > > > route[3] { > > if (is_method("BYE")) { > > unforce_rtp_proxy(); > > } else if (is_method("INVITE")) { > > force_rtp_proxy("", "82.168.191.xx"); > > t_on_failure("2"); > > }; > > if (isflagset(5)) > > search_append('Contact:.*sip:[^>[:cntrl:]]*', > > ';nat=yes'); t_on_reply("1"); > > } > > > > failure_route[2] { > > if (isflagset(6)||isflagset(5)) { > > unforce_rtp_proxy(); > > }; > > } > > > > onreply_route[1] { > > if ((isflagset(5) || isflagset(6)) && status =~ > > "(183)|(2[0-9][0-9])") { > > force_rtp_proxy(); > > }; > > search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes'); > > > > if (isflagset(6)) { > > fix_nated_contact(); > > }; > > exit; > > } > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.openser.org/cgi-bin/mailman/listinfo/users > > _______________________________________________ > Users mailing list > [email protected] > http://lists.openser.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] http://lists.openser.org/cgi-bin/mailman/listinfo/users
