iptables and SIP
richard at o-matrix.org
Fri Dec 17 01:05:03 CET 2004
> On Tue, Dec 14, 2004 at 12:18:41PM +0100, Zelmans, Bernard wrote:
> > Is there some iptables code that supports SIP:
> > -opening the pinhole
> > -modify the IP address of the end point in the signaling so that the rtp
> > channel is opened properly
> > -closing the pinhole when the call is terminated
> > -preventing DOS attacks
> No, but contributions/patches are always welcome.
> As for now, I think running siproxd (including rtp proxy) is the best
> you can get.
People have been talking/asking for a SIP ALG for long time. Making a
rudimental one is not too hard. You can check Linksys router's gpl code. The
latest code of wrt54g has a SIP conntrack. It is ok to make basic phone
SIP is a quite complex and flexible protocol. When it gets to some features,
I haven't seen a working SIP ALG yet. For example, with linksys' SIP
conntrack, if you have two phones behind the same NAT and calling between
each other, with certain phones SIP CANCEL message can't be processed
properly. So if one side hangs up before the other side picks up, the callee
still keeps getting the ring.
If you only worry about SIP message having the default 3 minutes timeout,
there is a new contribution for a jump TARGET to change the timeout value.
For media to pass through, you can use some kind of rtp proxy sitting on the
More information about the netfilter