Re: debian-user-digest Digest V2005 #308

To: debian-user@lists.debian.org
Subject: Re: debian-user-digest Digest V2005 #308
From: Dave Ewart <davee@sungate.co.uk>
Date: Thu, 3 Feb 2005 09:09:20 +0000
Message-id: <[🔎] 20050203090920.GA2893@sungate.co.uk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 42012B23.2050209@circlesoft.com>
References: <20050202184809.645ED2E520@murphy.debian.org> <[🔎] 42012B23.2050209@circlesoft.com>

On Wednesday, 02.02.2005 at 11:33 -0800, Gerard J. Cerchio wrote:

> > > I have multiple Cisco ATA 188 phone adapters behind a Debian Woody 2.4 
> > > kernel acting as a NAT to a single Internet IP address.
> > > 
> > > The phones all make outgoing calls just fine. The incoming calls cannot 
> > > get through.
> > > 
> > > Does anyone have an iptables NAT script that will allow the phones to 
> > > work both ways?
> > > 
> > > Here are my current entries:
> > > 
> > >   iptables -t nat -A POSTROUTING -s $MASQ_NET -o $EXT -j MASQUERADE
> > > 
> > >   iptables -t nat -A PREROUTING -d $EXTIP -p tcp --dport 16384 -j DNAT 
> > > --to-dest 10.10.0.12:16384
> > >   iptables -t nat -A PREROUTING -d $EXTIP -p udp --dport 16384 -j DNAT 
> > > --to-dest 10.10.0.12:16384
> > >  
> > >   iptables -A FORWARD -i eth0 -p udp -d 10.10.0.12 --dport 16384 -j 
> > >   ACCEPT
> > >   iptables -A FORWARD -i eth0 -p tcp -d 10.10.0.12 --dport 16384 -j 
> > >   ACCEPT
> > > 
> > > where 16384 is the media port on the ATA188 (there is a set for each 
> > > ATA188)
> > > the -FORWARD's don't seem to do anything
> >
> > Can you tell us what $MASQ_NET and $EXT refer to?  Which interface is
> > eth0? etc.
> 
>       MASQ_NET is 10.10.0.0/24   - this is the internal NAT'd network 
> on eth1
>       $EXT                                         - is the eth0 
> adapter that is using $EXT_IP on the public network
>       $INT                                           - is eth1 the 
> internal 10.10.0.0/24 network

The FORWARD rules are certainly necessary, assuming the default policy
for the FORWARD chain is DROP.  I always specify the rules more closely,
e.g. '-A FORWARD -i eth0 -d 10.10.0.12' becomes '-A FORWARD -i eth0 -o
eth1 -d 10.10.0.12', but yours should work.

I am unfamiliar with the Cisco phone adapters you are using, but are you
certain that you have the port numbers correct?  Also, do they use any
ports other than 16384?  If so, you'll need an 'ESTABLISHED/RELATED'
rule to allow this other traffic back in through the firewall.

If that doesn't help, you probably need to show us your complete
firewall ruleset - also include the default policies for each chain,
e.g.

INPUT - DROP
OUTPUT - DROP
FORWARD - DROP
nat PREROUTING - ACCEPT
nat POSTROUTING - ACCEPT
nat OUTPUT - ACCEPT
etc.

Dave.

-- 
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: debian-user-digest Digest V2005 #308
  - From: "Gerard J. Cerchio" <gjpc@circlesoft.com>

Prev by Date: Re: Debian packages similar to mathematica or mathlab ?
Next by Date: No weekly build this week
Previous by thread: Re: debian-user-digest Digest V2005 #308
Next by thread: apt/dpkg error installing nvu 0.70-1 on sarge
Index(es):
- Date
- Thread