NAT question on holding back a port

Harald Welte laforge@netfilter.org
Thu Aug 19 11:06:20 CEST 2004 

--gPQW1Pk7T/0rhUBV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 18, 2004 at 03:38:09PM +0530, Atanu.Mondal@infineon.com wrote:
> Hi All,
> I have a unique requirement.. I am writing a SIP ALG and am facing with
> the following situation.

Are you aware that somebody else (forgot his name, please look in the
list archives) is already working on a SIP conntrack/nat ALG for
netfilter/iptables

> The local Lan SIP phone sends a registration message and along with it ,
> its own contact port number. This gets SRC natted and the SIP ALG
> changes
> the Lan contact address and contact port to a Firewall global address
> and contact port... A DNAT rule also get added dynamically on this
> global address and contact port so that any WAN phone calling on this
> global address and contact port will get DNAT ed to the lan SIP phone.

you don't add rules in such a case but 'raise expectations'.  Please
read the numerous other NAT helpers available in patch-o-matic-ng.

> Now any phone on the WAN can connect the lan phone by calling on this
> contact address and contact port.
> =20
> My problem arises from the part that if the conntrack created by the
> Registration message goes off, and any other application is given that
> global port(NAT checks only for unique tuple match to assign port)..

I don't really see how this would happen if you raise an expectation
with unspecified source port/ip.

> Regards
> Atanu Mondal
--=20
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

--gPQW1Pk7T/0rhUBV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBJHubXaXGVTD0i/8RAgs5AKCeVThaL8ngBlqsRkNr6c6DjJoQLwCcCfbQ
1uWzzxsqs1yBKAweCyAtCsg=
=Wsmf
-----END PGP SIGNATURE-----

--gPQW1Pk7T/0rhUBV--

More information about the netfilter-devel mailing list