Re: How to make bi-directional NAT'ting?

From: "Tyler J. Wagner" <tyler@tolaris.com>
To: "\"Яцко Эллад Геннадьевич (ngs)\"" <eyatsko@ngs.ru>
Cc: netfilter@vger.kernel.org
Subject: Re: How to make bi-directional NAT'ting?
Date: Tue, 23 Aug 2011 11:50:19 +0100	[thread overview]
Message-ID: <4E5385EB.9040808@tolaris.com> (raw)
In-Reply-To: <4E536427.2040503@ngs.ru>

On 2011-08-23 09:26, "яцко Ёллад √еннадьевич (ngs)" wrote:
> Hello!
> 
> I have some specific problem with Cisco CP7961G IP phone.
> It sends packets to external Softswitch using one UDP port
> which differs from 5060 (voipControlPort in its .XML), but
> it waits answers on 5060!
> And I can't do anything with it! I have tried Firmware from
> 8.0.x up to 8.5.x - all the same!
> 
> One thing I think is make corresponding translation on IPTables.
> SNAT in direct path (from 79161 to Softswitch) and DNAT
> in backward direction (from outside Softswitch to 7961).
> 
> BUT IT DOESN'T WORK! :-)
> 
> $IPTABLES -t nat -A PREROUTING          -p udp -s 80.251.x.x
>                         -d 80.251.y.y --dport 5060 -j DNAT --to-destination
> 172.16.128.200:5060
> $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 172.16.128.0/24 --sport
> 1024:65535 -d 80.251.x.x --dport 5060 -j SNAT --to-source      80.251.y.y:5060

SIP is difficult to correct with NAT. It includes connection data at layer
7. So the Softswitch may be ignoring packet headers and replying to that.

I don't think NAT is your solution here. Something else is wrong in the SIP
setup of this device.

Regards,
Tyler

-- 
"[...] the effectiveness of pat-downs does not matter very much, because
the obvious goal of the TSA is to make the pat-down embarrassing enough
for the average passenger that the vast majority of people will choose
high-tech humiliation over the low-tech ball check."
   -- Jeffrey Goldberg, "For the First Time, the TSA Meets Resistance"
      The Atlantic, 2010-10-29