Solved

Linux routing of SIP protocol

Posted on 2013-01-28
19
672 Views
Last Modified: 2013-02-10
Need some assistance with creating a LAN proxy for routing SIP traffic out on a specific WAN.

Is is possible to creating a route on a Linux box to do this, or indeed use something like Squid?
I have tried a few iptables commands but to no avail.

So, in the end, need the following
 
SIP client > port 5060 > Linux box > sipserverabc.com:5060

Don't know if SIP protocol supports this type of routing or whether is suffers from problems like FTP where it uses multiple ports.

Any thoughts?

Thanks
BT
0
Comment
Question by:brothertom
  • 8
  • 6
  • 5
19 Comments
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
You cannot just NAT or "Proxy"  SIP traffic in the way that you can with HTTP traffic, the "solution" is to use a SBC

It would be useful to know more about your specific environment.
0
 

Author Comment

by:brothertom
Comment Utility
Hi,

Thanks for your reply.  I figured it wasn't going to be that easy.

See attached :)  At present the SIP traffic goes through the satellite, which just about works, but the latency is a bit annoying.
Network.pdf
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 314 total points
Comment Utility
you don't need a proxy, just a static route to your ITSP that goes out over the ADSL line
0
 

Author Comment

by:brothertom
Comment Utility
Slight problem in that the Mac(s) are not connected to the ADSL WAN router.

Presumably (see attached) I would create a static route from Mac to Linux box, then Linux box to SIP Server?
Network2.pdf
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 314 total points
Comment Utility
Just set the static routes on the router that connects to the Sat modem, use the internal address of the ADSL router as the next hop.

Alternatively, run a "router" internaly that has the sat router as default, and static routes for the ITSP pointing to the ADSL router, then set that device as the default gateway for all internal devices.

the "router" could be a linux box, or an Ethernet router, you're not routing between networks, just using it to route packets to the correct edge router.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Besides a route, (and allowance for the specified protocols, SIP =TCP 5060, 5061 & UDP 5060)  you also need nat support (if NAT is involved).

Now it depends on your kernel version what you exactly need to do:
You need some nat helper support to let the RTP stream follow the SIP stream.

It used to be implemented by the kernel modules:  ipt_conntrack_sip & ipt_nat_sip,
now they are:   nf_nat_sip  & nf_conntrack_sip
Also statefull packet inspection is needed as well as iptables rules to forward the related streams next to established streams.

Either that, or you need a SIP-Proxy.
0
 

Author Comment

by:brothertom
Comment Utility
A SIP-Proxy sounds easier - what's available on Linux or MacOS
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 314 total points
Comment Utility
Considering that your SIP traffic is going over your sat router quite happily, I would do two tests.

1/ set the ADSL connection as the default route on one of the computers and see if the softphone works, if it does, then;

2/ add static routes for your SIP provider onto the satellite router with the ADSL LAN address as the gateway and retest.

The sat router will route the packets, but as they will be going in and out the same interface, they will not go over NAT, the extra load should be minimal, and if it does ICMP redirection correctly, the traffic flow will only touch the sat router during setup.

This will be significantly simpler than configuring a SIP proxy/SBC
0
 

Author Comment

by:brothertom
Comment Utility
I guess the downside of a static route is that it is IP based and DNS based.
I'll have a go with both ideas and see what works best for us.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 314 total points
Comment Utility
static routes would be IP based, granted you would have to update them if your ITSP changed addresses, but this should not happen often
0
 
LVL 39

Assisted Solution

by:noci
noci earned 186 total points
Comment Utility
Configuring a SIP proxy is definitely NOT easy. (it's  the front end of any telephone exchange and does the bulk of handling traffic). And bridging connections is just a small part of it.
You will need to configure every aspect of an SBC (Sip Border Controller) though.
0
 
LVL 36

Assisted Solution

by:ArneLovius
ArneLovius earned 314 total points
Comment Utility
setting up static routes should take less time than it takes to just read through this howto on using freeswitch as a SBC

http://wiki.freeswitch.org/wiki/SBC_Setup
0
 

Author Comment

by:brothertom
Comment Utility
Yay, it works :)

I added a new LAN/WAN router to the network (WAN connected to the correct ASDL line) and created a static route on the satellite to point the SIP traffic to the new router.

Worked great.

For an encore, I wanted to get this working with an existing Linux box on the network that was already connected to the correct WAN, so I did the following:

iptables -F
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
ip route add x.x.x.x/32 via y.y.y.y dev eth1

So, essentially enabled NAT forwarding on the Linux box, then added another static route on the Linux box routing to the SIP x.x.x.x server traffic via the WAN on y.y.y.y.

This also worked, which is want I wanted.

The only problem I see here is it looks like I am now allowing ANY traffic to enter the LAN from the WAN over the NAT Linux box (/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT)

If this is the case, any idea on which iptable commands are needed to only allow inbound traffic for connections that have been established from internal sources (e.g. the SIP phones) and reject all other WAN inbound traffic.
0
 
LVL 39

Assisted Solution

by:noci
noci earned 186 total points
Comment Utility
if just SIP, then port tcp 5060, tcp 5061 & udp 5060 should be allowed + UDP for each of the RTP links allowed.

so: add:

create a rule for with added
 -p tcp --dport 5060  {state}
 -p tcp --dport 5061  {state}
 -p udp --dport 5060 {state}

The {state} above should be "-m state --state NEW" for old style
and "-m ctstate --state NEW" for new style

RTP tracks are easiest followed using connection tracking.
Then also add a rule:

iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

use -m ctstate in case of new style connection tracking.
0
 

Author Comment

by:brothertom
Comment Utility
OK, so I did (in total)

iptables -F
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

iptables -A INPUT -p tcp --dport 5060 -m state --state NEW
iptables -A INPUT -p tcp --dport 5061 -m state --state NEW
iptables -A INPUT -p udp --dport 5060 -m state --state NEW
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Do I need to do something extra for the RTP tracking or does the last command take care of that?   I presume the ESTABLISHED,RELATED allows 'new' ports to be used for already established connections (such as the initial SIP connection on TCP/5060)?

Also, do I need to add any DENY type commands to block everything else on the incoming WAN?  Here is my current iptables if this is of use...

i# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
           tcp  --  anywhere             anywhere             tcp dpt:sip state NEW
           tcp  --  anywhere             anywhere             tcp dpt:sip-tls state NEW
           udp  --  anywhere             anywhere             udp dpt:sip state NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
 
LVL 39

Assisted Solution

by:noci
noci earned 186 total points
Comment Utility
if the SIP modules for conntrack & nat are loaded then the RELATED should take the RTP stream with it.
0
 

Author Comment

by:brothertom
Comment Utility
Just a follow up:
Should the  -p tcp --dport 5060  {state} be added to INPUT or FORWARD (the latter I presume).

How can I test the integrity of the IPTABLES from the LAN side?
I guessing by having a process listening on port 5060/tcp on the LAN side, then attempt to connect from the WAN side.

By the way, is DENY the default in IPTABLES and we're just opening up the ports needed?
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
At least forward if it is routed through the box.
0
 

Author Closing Comment

by:brothertom
Comment Utility
Thank you both - all working nicely.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now