Iptables – Make Asterisk to serve another subnet

asteriskiptablesport-forwardingsubnetudp

I have server with Linux Ubuntu 12.04. It has two subnets – 192.168.0.1(eth0) and 192.168.1.1 (eth1).

There is an Asterisk server (IP PBX) connected to first subnet, lets say it has IP address 192.168.0.28.

I would need SIP clients from 192.168.1.x subnet be able to connect to that Astersik server.

My idea is to make all SIP clients to connect to the gateway server (the one that is in both subnets, i.e. the one at 192.168.1.1 of their subnet) and make it to port forward all UDP 5060 connections to 192.168.0.28 (the IP BPX).

Here is my idea:

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.0.28 -p udp --dport 5060 -m state \
    --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5060 -j DNAT \
    --to-destination 192.168.0.28
iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 192.168.0.28 \
    -o eth0 -j MASQUERADE

But the SIP clients (softphones) from 192.168.1.x can't register. I have tried to port forward http port just to test it:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.0.28 -p tcp --dport 80 -m state \
    --state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT \
    --to-destination 192.168.0.28:80
iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.0.28 \
    -o eth0 -j MASQUERADE

and that works fine, but with the first one with UDP forwarding I can't get clients to register at Asterisk server.

UPD:

As suggested in commnets I would need to use route instead of iptables so I guess the command would be something like this:

route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.0.28 dev eth0

But that didn't really worked. Plus I don't want to expose the whole IP PBX host to the 192.168.1.x network, only 5060 port for the SIP Clients (softphones).

Best Answer

Why to use NAT? In this scenario, you can directly router between the two LANs, without port forwarding at all.

Anyway, if you really want to use NAT, port 5060 should be sufficient if your clients are standard SIP ones. If they are mixed/custom protocol clients (eg: Cisco H323 and/or SCTP/SCCP implementation) you will need to open additional port ranges.

EDIT: the route you added is wrong. Let me illustrate your network setup:

    LAN 192.168.0.x/24              LAN 192.168.1.x/24
     ----------------                ----------------
     |  |  |  |  |  |                |  |  |  |  |  |
     |              |                |              |
     |              |                |              |
    PBX             |  UBUNTU SERVER |          SIP CLIENT
192.168.0.28   192.168.0.1      192.168.1.1  eg: 192.168.1.10
                    |                |
                    |________________|

As by your description, the Ubuntu server is a multihomed host - it has one interface on LAN 192.168.0.x and another interface on LAN 192.168.1.x. In order to route between the networks, you need to announce to the clients that the Ubuntu machine serves as a gateway for the other LAN. Assuming all involved machines are Linux clients, you need:

  • on each 192.168.0.x machine you issue route add -net 192.168.1.0/24 gw 192.168.0.1
  • on each 192.168.1.x machine you issue route add -net 192.168.0.x/24 gw 192.168.1.1
  • on the Ubuntu server, you can setup a firewall rules to only forward/route packet for 192.168.0.28 issuing iptables -A FORWARD -d 192.168.0.28 -j ACCEPT and iptables -A FORWARD -s 192.168.0.28 -j ACCEPT

Please note that the steps outlined above have only illustration purpose and are not best practices: for example, rather than issuing a specific routing command inside each clients, you can (and should) insert the right routes on the LAN's respective gateways.

However, this is networking at very basic level - if you are asking that, you really need to document yourself on what routing/NAT are and how to effectively use them.