• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1037
  • Last Modified:

shorewall in Gentoo

i want to open the sip port 5060 in my gentoo linux box.. the firewall is shorewall. i am fair new in linux. please teach me in detail.
  • 6
  • 5
1 Solution
nociSoftware EngineerCommented:
SIP is not enough...

SIP is the signaling protocol telling someone that you want a session,
the sound is transported using the RTP protocol which negotiates
ports on the fly...

Currently netfilter has no support for SIP (ip_conntrack_sip module)
in may a proposal module was posted, but it not available yet.

maybe you should also lookinto adding a sipproxy on your firewall.
siproxd or partysip (or yate or asterisk if you'ld like to run you PBX exchange ;)

llvllar1onAuthor Commented:
i am installing the X-Lite softphone in gentoo mechine but  sip always no respond. I can set up this softphone in winxp without trouble.   how to do?
llvllar1onAuthor Commented:
thanks noci. you are my good friend ......... please explain to me more simple .lol
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

llvllar1onAuthor Commented:
i have something called asterisk in my system. i hope this info help
nociSoftware EngineerCommented:
Asterisk is a full blown PBX with chatboxes, voicemail, call prisons etc.
You only need to configure it...
(asterisk.org), it can also be used as proxy.

Is the gentoo box connected to the internet directly or through some other system.

As mentioned the SIP protocol only opens a path for RTP to another system,
if you need to pass through another system that system needs to be SIP & RTP aware
(f.e. NAT also needs to change the content of the data in packets, not just the headers)
The system all data should passes through then needs a proxy running.

If the gentoo system is directly connected to the internet (ie has a public IP address) you
should be able to setup a link to some sip server.

To open sip then just add:

for netfilter:
iptables -I OUTPUT -p udp --dport 5060 -j ACCEPT
iptables -I INPUT -p udp --dport 5060 -j ACCEPT

RPT uses 16384 - 32767 (mostly)

iptables -I INPUT -p udp --dport 16384:32767
iptables -I OUTPUT -p UDP --dport 16384:32767

For shorewall you probably know how to translate these to a shorewall config file.

You might need a STUN-server to connect through, your SIP provider should supply you with one then.
(this might solve some RTP problems when having a masquerading firewall.
More on SIP
More on RTP

nociSoftware EngineerCommented:
the iptables for the RTP portrange both need a -j ACCEPT appended.
llvllar1onAuthor Commented:
sorry , i still have no ideal to open sip port   in shorewall.  
nociSoftware EngineerCommented:
probably somthing like:

If the wild wild net zone is called net
and $FW is youre firewall then:
add these./

ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060
ACCEPT net $FW udp 16384:32767
ACCEPT $FW net udp 16384:32767

Also have a look at:

llvllar1onAuthor Commented:
I found those two lines had already sit in /etc/shorewall/rules. but the status of sip still closed! why?
ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060
llvllar1onAuthor Commented:
i am sorry , i found this line is missed ---------ACCEPT $FW net udp 5060---------
but at least , i have one line. should my sip been opened or not?  by the way , what is stand for "net"  ? i didnot get it
nociSoftware EngineerCommented:
the 'net' is part of the concepts of shorewall, you REALY REALY need to RTFM.
The missing rule would allow traffic going from your system to the internet, and yes that might be blocking.
The other part is it is not clear how your network is layed out,
is your gentoo system also the shorewall firewall or not.
It it is this suffices, if it isn't you need forwarding rules...
SIP + RTP is a protocol that doesn't nat very well, you're better off running partysip, asterisk etc as a SIP proxy on your firewall system then.
Also your choice of clients (Soft-phone/ SIP phones) might be well or poor because of facilities they provide.

I am under the impression that you need some basic knowledge on networking (TCPIP)
sip in particular:
TCPIP in general.

Here are links to SIP

The firewall in Linux and its working

Then the firewall of your choice: (beginners guide)

Read it, Understand it, otherwise you can't trust your firewall and you 'll not learn of it.

Then you need to known Your own network
How is it setup:
Take a paper draw your systems as Boxes, put draw you links, with ipaddresses or DHCP markings,
take note were what service is running.

System(s) directly on the internet, each theirown firewall,
ONE big firewall, Do you need NAT (one public address , multiple systems behind your firewall),
were are your applications running. etc. etc. after take a note of what does what I think the picture will get clear.

And I'm affraid there doesn't exist a 10 minute crash course on the workings of the internet, applications and the rest
to paraphrase Douglas Adams.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now