On Wednesday, 02.02.2005 at 11:33 -0800, Gerard J. Cerchio wrote: > > > I have multiple Cisco ATA 188 phone adapters behind a Debian Woody 2.4 > > > kernel acting as a NAT to a single Internet IP address. > > > > > > The phones all make outgoing calls just fine. The incoming calls cannot > > > get through. > > > > > > Does anyone have an iptables NAT script that will allow the phones to > > > work both ways? > > > > > > Here are my current entries: > > > > > > iptables -t nat -A POSTROUTING -s $MASQ_NET -o $EXT -j MASQUERADE > > > > > > iptables -t nat -A PREROUTING -d $EXTIP -p tcp --dport 16384 -j DNAT > > > --to-dest 10.10.0.12:16384 > > > iptables -t nat -A PREROUTING -d $EXTIP -p udp --dport 16384 -j DNAT > > > --to-dest 10.10.0.12:16384 > > > > > > iptables -A FORWARD -i eth0 -p udp -d 10.10.0.12 --dport 16384 -j > > > ACCEPT > > > iptables -A FORWARD -i eth0 -p tcp -d 10.10.0.12 --dport 16384 -j > > > ACCEPT > > > > > > where 16384 is the media port on the ATA188 (there is a set for each > > > ATA188) > > > the -FORWARD's don't seem to do anything > > > > Can you tell us what $MASQ_NET and $EXT refer to? Which interface is > > eth0? etc. > > MASQ_NET is 10.10.0.0/24 - this is the internal NAT'd network > on eth1 > $EXT - is the eth0 > adapter that is using $EXT_IP on the public network > $INT - is eth1 the > internal 10.10.0.0/24 network The FORWARD rules are certainly necessary, assuming the default policy for the FORWARD chain is DROP. I always specify the rules more closely, e.g. '-A FORWARD -i eth0 -d 10.10.0.12' becomes '-A FORWARD -i eth0 -o eth1 -d 10.10.0.12', but yours should work. I am unfamiliar with the Cisco phone adapters you are using, but are you certain that you have the port numbers correct? Also, do they use any ports other than 16384? If so, you'll need an 'ESTABLISHED/RELATED' rule to allow this other traffic back in through the firewall. If that doesn't help, you probably need to show us your complete firewall ruleset - also include the default policies for each chain, e.g. INPUT - DROP OUTPUT - DROP FORWARD - DROP nat PREROUTING - ACCEPT nat POSTROUTING - ACCEPT nat OUTPUT - ACCEPT etc. Dave. -- Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature