0

I have a SIP Phone on my LAN. The outcall work's but incomingcall not.

When I call the SIP phone with my mobile phone, it goes straight to the voice mailbox.

This is my network

Phone --------------- eth1.100|iptables NAT (Debian buster)|eth0.100 ----- Public PBX
10.11.12.13/24      10.11.12.1/24                      xxx.xxx.xxx.xxx    yyy.yyy.yyy.yyy

Actually i have this iptables rules :

# Internet acces for SIP phone
iptables -A INPUT -i eth0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1.100 -j ACCEPT
iptables -A POSTROUTING -t nat -o eth0.100 -j MASQUERADE
iptables -A FORWARD -i eth0.100 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1.100 -j ACCEPT
# Open SIP port
iptables -A PREROUTING -t nat -i eth0.100 -p udp --src yyy.yyy.yyy.yyy --dport 5060 -j DNAT --to-destination 10.11.12.13:5060

I think there's something missing, maybe disable source port rewriting?

Would you have an iptables command for that?

Stuggi
  • 3,506
  • 4
  • 19
  • 36
Surfinside
  • 1
  • 3
  • I doubt that allowing UDP is sufficient. The phone has to register at regular intervals and that would be using TCP. Have you tried flushing your iptables rules and does everything then work as expected ? Just to be sure it's the firewall rules. Something you can try is run tcpdump or Wireshark on your Debian machine to see the packets coming out and to your phone. – Kate Aug 02 '20 at 19:12
  • If i remove " # Open SIP port " the situation remains the same. If i remove all command, my SIP phone does not retrieve an ip address. With my old router (pfsense) i have solved this issue with this : https://docs.netgate.com/pfsense/en/latest/nat/configuring-nat-for-voip-phones.html – Surfinside Aug 02 '20 at 19:31
  • check these modules: https://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_SIP.html , https://cateee.net/lkddb/web-lkddb/NF_NAT_SIP.html then check this blog: https://home.regit.org/netfilter-en/secure-use-of-helpers/ . Wouldn't work if it's encrypted, just like for FTP. – A.B Aug 02 '20 at 20:24
  • In iptables pass TCP 5060 and also any RTP ports that are being used for voice data. – tater Aug 03 '20 at 00:46
  • Hi, just add, iptables -A FORWARD -p udp -d 10.11.12.13 --dport 5060 -j ACCEPT :) – Surfinside Aug 06 '20 at 16:26

0 Answers0