I have server with Linux Ubuntu 12.04. It has two subnets – 192.168.0.1(eth0) and 192.168.1.1 (eth1).
There is an Asterisk server (IP PBX) connected to first subnet, lets say it has IP address 192.168.0.28.
I would need SIP clients from 192.168.1.x subnet be able to connect to that Astersik server.
My idea is to make all SIP clients to connect to the gateway server (the one that is in both subnets, i.e. the one at 192.168.1.1 of their subnet) and make it to port forward all UDP 5060 connections to 192.168.0.28 (the IP BPX).
Here is my idea:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.0.28 -p udp --dport 5060 -m state \
--state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 5060 -j DNAT \
--to-destination 192.168.0.28
iptables -t nat -A POSTROUTING -p tcp --dport 5060 -d 192.168.0.28 \
-o eth0 -j MASQUERADE
But the SIP clients (softphones) from 192.168.1.x can't register. I have tried to port forward http port just to test it:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.0.28 -p tcp --dport 80 -m state \
--state NEW -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT \
--to-destination 192.168.0.28:80
iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.0.28 \
-o eth0 -j MASQUERADE
and that works fine, but with the first one with UDP forwarding I can't get clients to register at Asterisk server.
UPD:
As suggested in commnets I would need to use route
instead of iptables
so I guess the command would be something like this:
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.0.28 dev eth0
But that didn't really worked. Plus I don't want to expose the whole IP PBX host to the 192.168.1.x network, only 5060 port for the SIP Clients (softphones).
Best Answer
Why to use NAT? In this scenario, you can directly router between the two LANs, without port forwarding at all.
Anyway, if you really want to use NAT, port 5060 should be sufficient if your clients are standard SIP ones. If they are mixed/custom protocol clients (eg: Cisco H323 and/or SCTP/SCCP implementation) you will need to open additional port ranges.
EDIT: the route you added is wrong. Let me illustrate your network setup:
As by your description, the Ubuntu server is a multihomed host - it has one interface on LAN 192.168.0.x and another interface on LAN 192.168.1.x. In order to route between the networks, you need to announce to the clients that the Ubuntu machine serves as a gateway for the other LAN. Assuming all involved machines are Linux clients, you need:
route add -net 192.168.1.0/24 gw 192.168.0.1
route add -net 192.168.0.x/24 gw 192.168.1.1
iptables -A FORWARD -d 192.168.0.28 -j ACCEPT
andiptables -A FORWARD -s 192.168.0.28 -j ACCEPT
Please note that the steps outlined above have only illustration purpose and are not best practices: for example, rather than issuing a specific routing command inside each clients, you can (and should) insert the right routes on the LAN's respective gateways.
However, this is networking at very basic level - if you are asking that, you really need to document yourself on what routing/NAT are and how to effectively use them.