shorewall in Gentoo

Posted on 2006-07-17
Last Modified: 2007-12-19
i want to open the sip port 5060 in my gentoo linux box.. the firewall is shorewall. i am fair new in linux. please teach me in detail.
Question by:llvllar1on
  • 6
  • 5
LVL 39

Expert Comment

ID: 17125780
SIP is not enough...

SIP is the signaling protocol telling someone that you want a session,
the sound is transported using the RTP protocol which negotiates
ports on the fly...

Currently netfilter has no support for SIP (ip_conntrack_sip module)
in may a proposal module was posted, but it not available yet.

maybe you should also lookinto adding a sipproxy on your firewall.
siproxd or partysip (or yate or asterisk if you'ld like to run you PBX exchange ;)


Author Comment

ID: 17126430
i am installing the X-Lite softphone in gentoo mechine but  sip always no respond. I can set up this softphone in winxp without trouble.   how to do?

Author Comment

ID: 17126438
thanks noci. you are my good friend ......... please explain to me more simple .lol

Author Comment

ID: 17126486
i have something called asterisk in my system. i hope this info help
LVL 39

Expert Comment

ID: 17126561
Asterisk is a full blown PBX with chatboxes, voicemail, call prisons etc.
You only need to configure it...
(, it can also be used as proxy.

Is the gentoo box connected to the internet directly or through some other system.

As mentioned the SIP protocol only opens a path for RTP to another system,
if you need to pass through another system that system needs to be SIP & RTP aware
(f.e. NAT also needs to change the content of the data in packets, not just the headers)
The system all data should passes through then needs a proxy running.

If the gentoo system is directly connected to the internet (ie has a public IP address) you
should be able to setup a link to some sip server.

To open sip then just add:

for netfilter:
iptables -I OUTPUT -p udp --dport 5060 -j ACCEPT
iptables -I INPUT -p udp --dport 5060 -j ACCEPT

RPT uses 16384 - 32767 (mostly)

iptables -I INPUT -p udp --dport 16384:32767
iptables -I OUTPUT -p UDP --dport 16384:32767

For shorewall you probably know how to translate these to a shorewall config file.

You might need a STUN-server to connect through, your SIP provider should supply you with one then.
(this might solve some RTP problems when having a masquerading firewall.
More on SIP
More on RTP

LVL 39

Expert Comment

ID: 17126564
the iptables for the RTP portrange both need a -j ACCEPT appended.
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails


Author Comment

ID: 17132693
sorry , i still have no ideal to open sip port   in shorewall.  
LVL 39

Expert Comment

ID: 17134069
probably somthing like:

If the wild wild net zone is called net
and $FW is youre firewall then:
add these./

ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060
ACCEPT net $FW udp 16384:32767
ACCEPT $FW net udp 16384:32767
LVL 16

Expert Comment

ID: 17145512

Also have a look at:

Author Comment

ID: 17149572
I found those two lines had already sit in /etc/shorewall/rules. but the status of sip still closed! why?
ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060

Author Comment

ID: 17149607
i am sorry , i found this line is missed ---------ACCEPT $FW net udp 5060---------
but at least , i have one line. should my sip been opened or not?  by the way , what is stand for "net"  ? i didnot get it
LVL 39

Accepted Solution

noci earned 250 total points
ID: 17149840
the 'net' is part of the concepts of shorewall, you REALY REALY need to RTFM.
The missing rule would allow traffic going from your system to the internet, and yes that might be blocking.
The other part is it is not clear how your network is layed out,
is your gentoo system also the shorewall firewall or not.
It it is this suffices, if it isn't you need forwarding rules...
SIP + RTP is a protocol that doesn't nat very well, you're better off running partysip, asterisk etc as a SIP proxy on your firewall system then.
Also your choice of clients (Soft-phone/ SIP phones) might be well or poor because of facilities they provide.

I am under the impression that you need some basic knowledge on networking (TCPIP)
sip in particular:
TCPIP in general.

Here are links to SIP

The firewall in Linux and its working

Then the firewall of your choice: (beginners guide)

Read it, Understand it, otherwise you can't trust your firewall and you 'll not learn of it.

Then you need to known Your own network
How is it setup:
Take a paper draw your systems as Boxes, put draw you links, with ipaddresses or DHCP markings,
take note were what service is running.

System(s) directly on the internet, each theirown firewall,
ONE big firewall, Do you need NAT (one public address , multiple systems behind your firewall),
were are your applications running. etc. etc. after take a note of what does what I think the picture will get clear.

And I'm affraid there doesn't exist a 10 minute crash course on the workings of the internet, applications and the rest
to paraphrase Douglas Adams.

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
computer with linux mint usb port block 5 473
How to enable SSH in Ubuntu. 7 88
CentOS User Audit 3 78
IPA - change main server? 3 89
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now