Changes

Jump to: navigation, search

VoIP Firewall

772 bytes added, 20 January
Give an example for several phones behind NAT
 
=NAT=
Avoid using NAT where possible. However, some NAT gateways provide an adequate SIP ALG (e.g. Technicolor TG582), and some devices provide NAT that works with the new call server (e.g. FireBrick 2500/2700 and many simple NAT routers). Using a STUN server (e.g. ''stun.aa.net.uk''} is another possible solution. If NAT works, then well done, but if not we cannot guarantee to be able to make it work. See: [[VoIP NAT]]
 
If you have 2 phones behind a NAT router, they cannot have the same SIP port number, nor the same RTP port range (if they both used port number for SIP of 5060 then when an incoming call came in to external port 5060, NAT wouldn't know which phone to send it to).
 
As an example with 2 phones, the first phone uses inbound SIP port 5060 and incoming RTP ports 5062-5068, and the second phone uses inbound SIP port 5040 and incoming RTP ports 5042-5048. Using iptables, the required rules would be like:
 
/sbin/iptables -t nat -A PREROUTING -i eth0 -m udp -p udp -s 81.187.30.0/24 --dport 5060:5069 -j DNAT --to-destination 192.168.1.12
/sbin/iptables -t nat -A PREROUTING -i eth0 -m udp -p udp -s 81.187.30.0/24 --dport 5040:5049 -j DNAT --to-destination 192.168.1.13
 
See: [[VoIP NAT]]
 
=Further VoIP Security=
379
edits

Navigation menu