netfilter & SIP

Hello all,

is there a patch for netfilter regarding the SIP protocol (for telephony
in VOIP).
It seems there is, but, I can not find it.
Any suggestions ?


Miss Terre

Miss Terre <(E-Mail Removed)> writes:

> is there a patch for netfilter regarding the SIP protocol (for telephony
> in VOIP).
> It seems there is, but, I can not find it.
> Any suggestions ?

What do you want the patch to do? What feature are you missing?

(You know about things like CONFIG_IP_NF_SIP? If it's a NAT issue,
recent kernels have SIP-aware stuff, though I think the earlier attempts
were a bit flaky.)

Mark

In article <(E-Mail Removed)>, (E-Mail Removed) says...
> Miss Terre <(E-Mail Removed)> writes:
>
> > is there a patch for netfilter regarding the SIP protocol (for telephony
> > in VOIP).
> > It seems there is, but, I can not find it.
> > Any suggestions ?
>
> What do you want the patch to do? What feature are you missing?
>
> (You know about things like CONFIG_IP_NF_SIP? If it's a NAT issue,
> recent kernels have SIP-aware stuff, though I think the earlier attempts
> were a bit flaky.)
>
> Mark
>

Great !
This effectively concerns the NAT issue. How make a PC behind a linux
firewall with MASQUERADING working with X-lite ?
I'll dig this !
thanks a lot.

On 09/28/2007 06:59 PM, Miss Terre wrote:
> In article <(E-Mail Removed)>, (E-Mail Removed) says...
>> Miss Terre <(E-Mail Removed)> writes:
>>
>>> is there a patch for netfilter regarding the SIP protocol (for telephony
>>> in VOIP).
>>> It seems there is, but, I can not find it.
>>> Any suggestions ?
>> What do you want the patch to do? What feature are you missing?
>>
>> (You know about things like CONFIG_IP_NF_SIP? If it's a NAT issue,
>> recent kernels have SIP-aware stuff, though I think the earlier attempts
>> were a bit flaky.)
>>
>> Mark
>>
>
> Great !
> This effectively concerns the NAT issue. How make a PC behind a linux
> firewall with MASQUERADING working with X-lite ?
> I'll dig this !
> thanks a lot.

The X-lite and many other good SIP clients/servers can also use STUN for
traversing UDP datagrams/packets over NAT.

--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> On 09/28/2007 06:59 PM, Miss Terre wrote:
> > In article <(E-Mail Removed)>, (E-Mail Removed) says...
> >> Miss Terre <(E-Mail Removed)> writes:
> >>
> >>> is there a patch for netfilter regarding the SIP protocol (for telephony
> >>> in VOIP).
> >>> It seems there is, but, I can not find it.
> >>> Any suggestions ?
> >> What do you want the patch to do? What feature are you missing?
> >>
> >> (You know about things like CONFIG_IP_NF_SIP? If it's a NAT issue,
> >> recent kernels have SIP-aware stuff, though I think the earlier attempts
> >> were a bit flaky.)
> >>
> >> Mark
> >>
> >
> > Great !
> > This effectively concerns the NAT issue. How make a PC behind a linux
> > firewall with MASQUERADING working with X-lite ?
> > I'll dig this !
> > thanks a lot.
>
> The X-lite and many other good SIP clients/servers can also use STUN for
> traversing UDP datagrams/packets over NAT.

My goal is to make X-lite (under windows, on a PC behind the firewall)
be able to work through the linux firewall, with no modification (as
possible) on the windows client.
Would STUN help for this ?
I must admit I didn't know STUN.
Regards

Hello,

Miss Terre a écrit :
>
> is there a patch for netfilter regarding the SIP protocol (for telephony
> in VOIP).

Support for connection tracking and NAT of the SIP protocol in Netfilter
is included in the mainline kernel since version 2.6.18. Of course it
has to be enabled at configure/build time. Snapshots of the
patch-o-matic-ng until patch-o-matic-ng-20061211 contain experimental
patches for older kernels versions >= 2.6.11.

As usual, load the ip_conntrack_sip and ip_nat_sip modules (or
nf_conntrack_sip and nf_nat_sip in recent kernels), then create iptables
rules which accept NEW outgoing SIP packets (to UDP port 5060) and
ESTABLISHED,RELATED packets from/to any port in both directions.

However, as others said, some SIP clients such as X-Lite can use NAT
traversal techniques such as STUN which do not require specific support
for the SIP protocol in the firewall/NAT.

On 09/28/2007 07:32 PM, Miss Terre wrote:
> In article <(E-Mail Removed)>,
> (E-Mail Removed) says...
>> On 09/28/2007 06:59 PM, Miss Terre wrote:
>>> In article <(E-Mail Removed)>, (E-Mail Removed) says...
>>>> Miss Terre <(E-Mail Removed)> writes:
>>>>
>>>>> is there a patch for netfilter regarding the SIP protocol (for telephony
>>>>> in VOIP).
>>>>> It seems there is, but, I can not find it.
>>>>> Any suggestions ?
>>>> What do you want the patch to do? What feature are you missing?
>>>>
>>>> (You know about things like CONFIG_IP_NF_SIP? If it's a NAT issue,
>>>> recent kernels have SIP-aware stuff, though I think the earlier attempts
>>>> were a bit flaky.)
>>>>
>>>> Mark
>>>>
>>> Great !
>>> This effectively concerns the NAT issue. How make a PC behind a linux
>>> firewall with MASQUERADING working with X-lite ?
>>> I'll dig this !
>>> thanks a lot.
>> The X-lite and many other good SIP clients/servers can also use STUN for
>> traversing UDP datagrams/packets over NAT.
>
> My goal is to make X-lite (under windows, on a PC behind the firewall)
> be able to work through the linux firewall, with no modification (as
> possible) on the windows client.

You need not modify anything on any machine, think that you don't even
have control over these; just configure your X-Lite to use some
publically available stun server.

> Would STUN help for this ?

Yes.

> I must admit I didn't know STUN.

Tsk, tsk! try Wikipedia http://en.wikipedia.org/wiki/STUN

<blah>
In case STUN does not serve your purpose well and, or you still are
interested to go by netfilter route, the http://www.iptel.org/sipalg/
page could be quite handy.

I have:
[bsd@cto ~]$ grep SIP=. /usr/src/linux-2.6.22.8/.config
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_NAT_SIP=m
</blah>

--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

Balwinder S Dheeman <(E-Mail Removed)> writes:
(snip)
> I have:
> [bsd@cto ~]$ grep SIP=. /usr/src/linux-2.6.22.8/.config
> CONFIG_NF_CONNTRACK_SIP=m
> CONFIG_NF_NAT_SIP=m
> </blah>

Mmmm. My problem is my ISP gives me an RFC1918 address on my external
interface but they route a static routable IP address to it, in a sort
of NAT-on-their-end. So, if I try using the netfilter stuff above,
it puts the wrong IP address as the place to find me.

Mark

On 09/28/2007 09:27 PM, Mark T.B. Carroll wrote:
> Balwinder S Dheeman <(E-Mail Removed)> writes:
> (snip)
>> I have:
>> [bsd@cto ~]$ grep SIP=. /usr/src/linux-2.6.22.8/.config
>> CONFIG_NF_CONNTRACK_SIP=m
>> CONFIG_NF_NAT_SIP=m
>> </blah>
>
> Mmmm. My problem is my ISP gives me an RFC1918 address on my external
> interface but they route a static routable IP address to it, in a sort
> of NAT-on-their-end. So, if I try using the netfilter stuff above,
> it puts the wrong IP address as the place to find me.

That's why people prefer STUN, which is much more mature compared to
netfilter. In some of the cases, where your SIP client and, or server
does not have STUN functionality, we may still use some independent STUN
client to discover our external IP and reconfigure the iptables accordingly.

--
Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
Anu'z Linux@HOME Machines: #168573, 170593, 259192
Chandigarh, UT, 160062, India Gentoo, Fedora, Debian/FreeBSD/XP
Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

Balwinder S Dheeman a écrit :
>
> That's why people prefer STUN, which is much more mature compared to
> netfilter.

What do you mean by "more mature" ? IMHO one cannot compare Netfilter
and STUN, they are too different in their nature and purpose.

> In some of the cases, where your SIP client and, or server
> does not have STUN functionality, we may still use some independent STUN
> client to discover our external IP and reconfigure the iptables accordingly.

What do you reconfigure in iptables exactly ?