shorewall in Gentoo

Posted on 2006-07-17
Medium Priority
Last Modified: 2007-12-19
i want to open the sip port 5060 in my gentoo linux box.. the firewall is shorewall. i am fair new in linux. please teach me in detail.
Question by:llvllar1on
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 40

Expert Comment

ID: 17125780
SIP is not enough...

SIP is the signaling protocol telling someone that you want a session,
the sound is transported using the RTP protocol which negotiates
ports on the fly...

Currently netfilter has no support for SIP (ip_conntrack_sip module)
in may a proposal module was posted, but it not available yet.

maybe you should also lookinto adding a sipproxy on your firewall.
siproxd or partysip (or yate or asterisk if you'ld like to run you PBX exchange ;)


Author Comment

ID: 17126430
i am installing the X-Lite softphone in gentoo mechine but  sip always no respond. I can set up this softphone in winxp without trouble.   how to do?

Author Comment

ID: 17126438
thanks noci. you are my good friend ......... please explain to me more simple .lol
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.


Author Comment

ID: 17126486
i have something called asterisk in my system. i hope this info help
LVL 40

Expert Comment

ID: 17126561
Asterisk is a full blown PBX with chatboxes, voicemail, call prisons etc.
You only need to configure it...
(asterisk.org), it can also be used as proxy.

Is the gentoo box connected to the internet directly or through some other system.

As mentioned the SIP protocol only opens a path for RTP to another system,
if you need to pass through another system that system needs to be SIP & RTP aware
(f.e. NAT also needs to change the content of the data in packets, not just the headers)
The system all data should passes through then needs a proxy running.

If the gentoo system is directly connected to the internet (ie has a public IP address) you
should be able to setup a link to some sip server.

To open sip then just add:

for netfilter:
iptables -I OUTPUT -p udp --dport 5060 -j ACCEPT
iptables -I INPUT -p udp --dport 5060 -j ACCEPT

RPT uses 16384 - 32767 (mostly)

iptables -I INPUT -p udp --dport 16384:32767
iptables -I OUTPUT -p UDP --dport 16384:32767

For shorewall you probably know how to translate these to a shorewall config file.

You might need a STUN-server to connect through, your SIP provider should supply you with one then.
(this might solve some RTP problems when having a masquerading firewall.
More on SIP
More on RTP

LVL 40

Expert Comment

ID: 17126564
the iptables for the RTP portrange both need a -j ACCEPT appended.

Author Comment

ID: 17132693
sorry , i still have no ideal to open sip port   in shorewall.  
LVL 40

Expert Comment

ID: 17134069
probably somthing like:

If the wild wild net zone is called net
and $FW is youre firewall then:
add these./

ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060
ACCEPT net $FW udp 16384:32767
ACCEPT $FW net udp 16384:32767
LVL 16

Expert Comment

ID: 17145512

Also have a look at:


Author Comment

ID: 17149572
I found those two lines had already sit in /etc/shorewall/rules. but the status of sip still closed! why?
ACCEPT net $FW udp 5060
ACCEPT $FW net udp 5060

Author Comment

ID: 17149607
i am sorry , i found this line is missed ---------ACCEPT $FW net udp 5060---------
but at least , i have one line. should my sip been opened or not?  by the way , what is stand for "net"  ? i didnot get it
LVL 40

Accepted Solution

noci earned 1000 total points
ID: 17149840
the 'net' is part of the concepts of shorewall, you REALY REALY need to RTFM.
The missing rule would allow traffic going from your system to the internet, and yes that might be blocking.
The other part is it is not clear how your network is layed out,
is your gentoo system also the shorewall firewall or not.
It it is this suffices, if it isn't you need forwarding rules...
SIP + RTP is a protocol that doesn't nat very well, you're better off running partysip, asterisk etc as a SIP proxy on your firewall system then.
Also your choice of clients (Soft-phone/ SIP phones) might be well or poor because of facilities they provide.

I am under the impression that you need some basic knowledge on networking (TCPIP)
sip in particular:
TCPIP in general.

Here are links to SIP

The firewall in Linux and its working

Then the firewall of your choice: (beginners guide)

Read it, Understand it, otherwise you can't trust your firewall and you 'll not learn of it.

Then you need to known Your own network
How is it setup:
Take a paper draw your systems as Boxes, put draw you links, with ipaddresses or DHCP markings,
take note were what service is running.

System(s) directly on the internet, each theirown firewall,
ONE big firewall, Do you need NAT (one public address , multiple systems behind your firewall),
were are your applications running. etc. etc. after take a note of what does what I think the picture will get clear.

And I'm affraid there doesn't exist a 10 minute crash course on the workings of the internet, applications and the rest
to paraphrase Douglas Adams.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question