shorewall in Gentoo

Posted on 2006-07-17
Last Modified: 2007-12-19
i want to open the sip port 5060 in my gentoo linux box.. the firewall is shorewall. i am fair new in linux. please teach me in detail.
Question by:llvllar1on
  • 6
  • 5
LVL 40

Expert Comment

ID: 17125780
SIP is not enough...

SIP is the signaling protocol telling someone that you want a session,
the sound is transported using the RTP protocol which negotiates
ports on the fly...

Currently netfilter has no support for SIP (ip_conntrack_sip module)
in may a proposal module was posted, but it not available yet.

maybe you should also lookinto adding a sipproxy on your firewall.
siproxd or partysip (or yate or asterisk if you'ld like to run you PBX exchange ;)


Author Comment

ID: 17126430
i am installing the X-Lite softphone in gentoo mechine but  sip always no respond. I can set up this softphone in winxp without trouble.   how to do?

Author Comment

ID: 17126438
thanks noci. you are my good friend ......... please explain to me more simple .lol

Author Comment

ID: 17126486
i have something called asterisk in my system. i hope this info help
LVL 40

Expert Comment

ID: 17126561
Asterisk is a full blown PBX with chatboxes, voicemail, call prisons etc.
You only need to configure it...
(, it can also be used as proxy.

Is the gentoo box connected to the internet directly or through some other system.

As mentioned the SIP protocol only opens a path for RTP to another system,
if you need to pass through another system that system needs to be SIP & RTP aware
(f.e. NAT also needs to change the content of the data in packets, not just the headers)
The system all data should passes through then needs a proxy running.

If the gentoo system is directly connected to the internet (ie has a public IP address) you
should be able to setup a link to some sip server.

To open sip then just add:

for netfilter:
iptables -I OUTPUT -p udp --dport 5060 -j ACCEPT
iptables -I INPUT -p udp --dport 5060 -j ACCEPT

RPT uses 16384 - 32767 (mostly)

iptables -I INPUT -p udp --dport 16384:32767
iptables -I OUTPUT -p UDP --dport 16384:32767

For shorewall you probably know how to translate these to a shorewall config file.

You might need a STUN-server to connect through, your SIP provider should supply you with one then.
(this might solve some RTP problems when having a masquerading firewall.
More on SIP
More on RTP

LVL 40

Expert Comment

ID: 17126564
the iptables for the RTP portrange both need a -j ACCEPT appended.
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 17132693
sorry , i still have no ideal to open sip port   in shorewall.  
LVL 40

Expert Comment

ID: 17134069
probably somthing like:

If the wild wild net zone is called net
and $FW is youre firewall then:
add these./

ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060
ACCEPT net $FW udp 16384:32767
ACCEPT $FW net udp 16384:32767
LVL 16

Expert Comment

ID: 17145512

Also have a look at:

Author Comment

ID: 17149572
I found those two lines had already sit in /etc/shorewall/rules. but the status of sip still closed! why?
ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060

Author Comment

ID: 17149607
i am sorry , i found this line is missed ---------ACCEPT $FW net udp 5060---------
but at least , i have one line. should my sip been opened or not?  by the way , what is stand for "net"  ? i didnot get it
LVL 40

Accepted Solution

noci earned 250 total points
ID: 17149840
the 'net' is part of the concepts of shorewall, you REALY REALY need to RTFM.
The missing rule would allow traffic going from your system to the internet, and yes that might be blocking.
The other part is it is not clear how your network is layed out,
is your gentoo system also the shorewall firewall or not.
It it is this suffices, if it isn't you need forwarding rules...
SIP + RTP is a protocol that doesn't nat very well, you're better off running partysip, asterisk etc as a SIP proxy on your firewall system then.
Also your choice of clients (Soft-phone/ SIP phones) might be well or poor because of facilities they provide.

I am under the impression that you need some basic knowledge on networking (TCPIP)
sip in particular:
TCPIP in general.

Here are links to SIP

The firewall in Linux and its working

Then the firewall of your choice: (beginners guide)

Read it, Understand it, otherwise you can't trust your firewall and you 'll not learn of it.

Then you need to known Your own network
How is it setup:
Take a paper draw your systems as Boxes, put draw you links, with ipaddresses or DHCP markings,
take note were what service is running.

System(s) directly on the internet, each theirown firewall,
ONE big firewall, Do you need NAT (one public address , multiple systems behind your firewall),
were are your applications running. etc. etc. after take a note of what does what I think the picture will get clear.

And I'm affraid there doesn't exist a 10 minute crash course on the workings of the internet, applications and the rest
to paraphrase Douglas Adams.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now