shorewall in Gentoo

Posted on 2006-07-17
Last Modified: 2007-12-19
i want to open the sip port 5060 in my gentoo linux box.. the firewall is shorewall. i am fair new in linux. please teach me in detail.
Question by:llvllar1on
  • 6
  • 5
LVL 40

Expert Comment

ID: 17125780
SIP is not enough...

SIP is the signaling protocol telling someone that you want a session,
the sound is transported using the RTP protocol which negotiates
ports on the fly...

Currently netfilter has no support for SIP (ip_conntrack_sip module)
in may a proposal module was posted, but it not available yet.

maybe you should also lookinto adding a sipproxy on your firewall.
siproxd or partysip (or yate or asterisk if you'ld like to run you PBX exchange ;)


Author Comment

ID: 17126430
i am installing the X-Lite softphone in gentoo mechine but  sip always no respond. I can set up this softphone in winxp without trouble.   how to do?

Author Comment

ID: 17126438
thanks noci. you are my good friend ......... please explain to me more simple .lol
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 17126486
i have something called asterisk in my system. i hope this info help
LVL 40

Expert Comment

ID: 17126561
Asterisk is a full blown PBX with chatboxes, voicemail, call prisons etc.
You only need to configure it...
(, it can also be used as proxy.

Is the gentoo box connected to the internet directly or through some other system.

As mentioned the SIP protocol only opens a path for RTP to another system,
if you need to pass through another system that system needs to be SIP & RTP aware
(f.e. NAT also needs to change the content of the data in packets, not just the headers)
The system all data should passes through then needs a proxy running.

If the gentoo system is directly connected to the internet (ie has a public IP address) you
should be able to setup a link to some sip server.

To open sip then just add:

for netfilter:
iptables -I OUTPUT -p udp --dport 5060 -j ACCEPT
iptables -I INPUT -p udp --dport 5060 -j ACCEPT

RPT uses 16384 - 32767 (mostly)

iptables -I INPUT -p udp --dport 16384:32767
iptables -I OUTPUT -p UDP --dport 16384:32767

For shorewall you probably know how to translate these to a shorewall config file.

You might need a STUN-server to connect through, your SIP provider should supply you with one then.
(this might solve some RTP problems when having a masquerading firewall.
More on SIP
More on RTP

LVL 40

Expert Comment

ID: 17126564
the iptables for the RTP portrange both need a -j ACCEPT appended.

Author Comment

ID: 17132693
sorry , i still have no ideal to open sip port   in shorewall.  
LVL 40

Expert Comment

ID: 17134069
probably somthing like:

If the wild wild net zone is called net
and $FW is youre firewall then:
add these./

ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060
ACCEPT net $FW udp 16384:32767
ACCEPT $FW net udp 16384:32767
LVL 16

Expert Comment

ID: 17145512

Also have a look at:

Author Comment

ID: 17149572
I found those two lines had already sit in /etc/shorewall/rules. but the status of sip still closed! why?
ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060

Author Comment

ID: 17149607
i am sorry , i found this line is missed ---------ACCEPT $FW net udp 5060---------
but at least , i have one line. should my sip been opened or not?  by the way , what is stand for "net"  ? i didnot get it
LVL 40

Accepted Solution

noci earned 250 total points
ID: 17149840
the 'net' is part of the concepts of shorewall, you REALY REALY need to RTFM.
The missing rule would allow traffic going from your system to the internet, and yes that might be blocking.
The other part is it is not clear how your network is layed out,
is your gentoo system also the shorewall firewall or not.
It it is this suffices, if it isn't you need forwarding rules...
SIP + RTP is a protocol that doesn't nat very well, you're better off running partysip, asterisk etc as a SIP proxy on your firewall system then.
Also your choice of clients (Soft-phone/ SIP phones) might be well or poor because of facilities they provide.

I am under the impression that you need some basic knowledge on networking (TCPIP)
sip in particular:
TCPIP in general.

Here are links to SIP

The firewall in Linux and its working

Then the firewall of your choice: (beginners guide)

Read it, Understand it, otherwise you can't trust your firewall and you 'll not learn of it.

Then you need to known Your own network
How is it setup:
Take a paper draw your systems as Boxes, put draw you links, with ipaddresses or DHCP markings,
take note were what service is running.

System(s) directly on the internet, each theirown firewall,
ONE big firewall, Do you need NAT (one public address , multiple systems behind your firewall),
were are your applications running. etc. etc. after take a note of what does what I think the picture will get clear.

And I'm affraid there doesn't exist a 10 minute crash course on the workings of the internet, applications and the rest
to paraphrase Douglas Adams.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question