Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Linux routing of SIP protocol

Posted on 2013-01-28
19
Medium Priority
?
768 Views
Last Modified: 2013-02-10
Need some assistance with creating a LAN proxy for routing SIP traffic out on a specific WAN.

Is is possible to creating a route on a Linux box to do this, or indeed use something like Squid?
I have tried a few iptables commands but to no avail.

So, in the end, need the following
 
SIP client > port 5060 > Linux box > sipserverabc.com:5060

Don't know if SIP protocol supports this type of routing or whether is suffers from problems like FTP where it uses multiple ports.

Any thoughts?

Thanks
BT
0
Comment
Question by:brothertom
  • 8
  • 6
  • 5
19 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38830822
You cannot just NAT or "Proxy"  SIP traffic in the way that you can with HTTP traffic, the "solution" is to use a SBC

It would be useful to know more about your specific environment.
0
 

Author Comment

by:brothertom
ID: 38831166
Hi,

Thanks for your reply.  I figured it wasn't going to be that easy.

See attached :)  At present the SIP traffic goes through the satellite, which just about works, but the latency is a bit annoying.
Network.pdf
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1256 total points
ID: 38831180
you don't need a proxy, just a static route to your ITSP that goes out over the ADSL line
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:brothertom
ID: 38831273
Slight problem in that the Mac(s) are not connected to the ADSL WAN router.

Presumably (see attached) I would create a static route from Mac to Linux box, then Linux box to SIP Server?
Network2.pdf
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 1256 total points
ID: 38831366
Just set the static routes on the router that connects to the Sat modem, use the internal address of the ADSL router as the next hop.

Alternatively, run a "router" internaly that has the sat router as default, and static routes for the ITSP pointing to the ADSL router, then set that device as the default gateway for all internal devices.

the "router" could be a linux box, or an Ethernet router, you're not routing between networks, just using it to route packets to the correct edge router.
0
 
LVL 40

Expert Comment

by:noci
ID: 38833206
Besides a route, (and allowance for the specified protocols, SIP =TCP 5060, 5061 & UDP 5060)  you also need nat support (if NAT is involved).

Now it depends on your kernel version what you exactly need to do:
You need some nat helper support to let the RTP stream follow the SIP stream.

It used to be implemented by the kernel modules:  ipt_conntrack_sip & ipt_nat_sip,
now they are:   nf_nat_sip  & nf_conntrack_sip
Also statefull packet inspection is needed as well as iptables rules to forward the related streams next to established streams.

Either that, or you need a SIP-Proxy.
0
 

Author Comment

by:brothertom
ID: 38833318
A SIP-Proxy sounds easier - what's available on Linux or MacOS
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1256 total points
ID: 38833424
Considering that your SIP traffic is going over your sat router quite happily, I would do two tests.

1/ set the ADSL connection as the default route on one of the computers and see if the softphone works, if it does, then;

2/ add static routes for your SIP provider onto the satellite router with the ADSL LAN address as the gateway and retest.

The sat router will route the packets, but as they will be going in and out the same interface, they will not go over NAT, the extra load should be minimal, and if it does ICMP redirection correctly, the traffic flow will only touch the sat router during setup.

This will be significantly simpler than configuring a SIP proxy/SBC
0
 

Author Comment

by:brothertom
ID: 38834259
I guess the downside of a static route is that it is IP based and DNS based.
I'll have a go with both ideas and see what works best for us.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1256 total points
ID: 38834642
static routes would be IP based, granted you would have to update them if your ITSP changed addresses, but this should not happen often
0
 
LVL 40

Assisted Solution

by:noci
noci earned 744 total points
ID: 38834875
Configuring a SIP proxy is definitely NOT easy. (it's  the front end of any telephone exchange and does the bulk of handling traffic). And bridging connections is just a small part of it.
You will need to configure every aspect of an SBC (Sip Border Controller) though.
0
 
LVL 37

Assisted Solution

by:ArneLovius
ArneLovius earned 1256 total points
ID: 38834899
setting up static routes should take less time than it takes to just read through this howto on using freeswitch as a SBC

http://wiki.freeswitch.org/wiki/SBC_Setup
0
 

Author Comment

by:brothertom
ID: 38846789
Yay, it works :)

I added a new LAN/WAN router to the network (WAN connected to the correct ASDL line) and created a static route on the satellite to point the SIP traffic to the new router.

Worked great.

For an encore, I wanted to get this working with an existing Linux box on the network that was already connected to the correct WAN, so I did the following:

iptables -F
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
ip route add x.x.x.x/32 via y.y.y.y dev eth1

So, essentially enabled NAT forwarding on the Linux box, then added another static route on the Linux box routing to the SIP x.x.x.x server traffic via the WAN on y.y.y.y.

This also worked, which is want I wanted.

The only problem I see here is it looks like I am now allowing ANY traffic to enter the LAN from the WAN over the NAT Linux box (/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT)

If this is the case, any idea on which iptable commands are needed to only allow inbound traffic for connections that have been established from internal sources (e.g. the SIP phones) and reject all other WAN inbound traffic.
0
 
LVL 40

Assisted Solution

by:noci
noci earned 744 total points
ID: 38847449
if just SIP, then port tcp 5060, tcp 5061 & udp 5060 should be allowed + UDP for each of the RTP links allowed.

so: add:

create a rule for with added
 -p tcp --dport 5060  {state}
 -p tcp --dport 5061  {state}
 -p udp --dport 5060 {state}

The {state} above should be "-m state --state NEW" for old style
and "-m ctstate --state NEW" for new style

RTP tracks are easiest followed using connection tracking.
Then also add a rule:

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

use -m ctstate in case of new style connection tracking.
0
 

Author Comment

by:brothertom
ID: 38847706
OK, so I did (in total)

iptables -F
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables -A INPUT -p tcp --dport 5060 -m state --state NEW
iptables -A INPUT -p tcp --dport 5061 -m state --state NEW
iptables -A INPUT -p udp --dport 5060 -m state --state NEW
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Do I need to do something extra for the RTP tracking or does the last command take care of that?   I presume the ESTABLISHED,RELATED allows 'new' ports to be used for already established connections (such as the initial SIP connection on TCP/5060)?

Also, do I need to add any DENY type commands to block everything else on the incoming WAN?  Here is my current iptables if this is of use...

i# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
           tcp  --  anywhere             anywhere             tcp dpt:sip state NEW
           tcp  --  anywhere             anywhere             tcp dpt:sip-tls state NEW
           udp  --  anywhere             anywhere             udp dpt:sip state NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
 
LVL 40

Assisted Solution

by:noci
noci earned 744 total points
ID: 38849725
if the SIP modules for conntrack & nat are loaded then the RELATED should take the RTP stream with it.
0
 

Author Comment

by:brothertom
ID: 38856676
Just a follow up:
Should the  -p tcp --dport 5060  {state} be added to INPUT or FORWARD (the latter I presume).

How can I test the integrity of the IPTABLES from the LAN side?
I guessing by having a process listening on port 5060/tcp on the LAN side, then attempt to connect from the WAN side.

By the way, is DENY the default in IPTABLES and we're just opening up the ports needed?
0
 
LVL 40

Expert Comment

by:noci
ID: 38866515
At least forward if it is routed through the box.
0
 

Author Closing Comment

by:brothertom
ID: 38872515
Thank you both - all working nicely.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question