Tips and Tricks for the Linux Network Admin

Tuesday Oct 17th 2006 by Carla Schroder

From getting SIP through your firewall to a handy iptables monitor, our periodic guide to what's new in Linux networking scratches plenty of itches.

There's always something new and progressive in the free and open source software universe. Here's a roundup of some recent worthy happenings in the fun worlds of iptables and VoIP: getting SIP through iptables NAT firewalls, adding new modules to iptables with Patch-O-Matic, monitoring iptables in real-time, and a look at the excellent AstLinux, "the professional's PBX".

iptables and SIP
VoIP users have long struggled with getting SIP (Session Initiation Protocol) through NAT (Network Address Translation) firewalls. Good ole NAT, always gumming up the works. But, as usual, trusty hardworking devs ride to the rescue, and the SIP connection tracking module is ready for prime-time. It will be included in the 2.6.18 kernel. Meanwhile, if you don't mind a bit of patching and kernel-building you can have it now. To do this you need complete kernel sources (not just headers), a 2.6.11 kernel or newer, and iptables sources. Get the iptables sources from

Then fetch yourself the latest Patch-O-Matic snapshot from; it's about a 139-kilobyte download. Don't forget to verify the MD5sum. After all, this is only an important security application.

After unpacking Patch-O-Matic, apply the sip-conntrack-nat patch to the kernel sources. Change to the Patch-O-Matic top-level directory and run this command (but make sure to substitute the location of your kernel and iptables source directories when prompted):

$ ./runme sip-conntrack-nat
Hey! KERNEL_DIR is not set.
Where is your kernel source directory? [/usr/src/linux] enter your kernel source directory
Hey! IPTABLES_DIR is not set.
Where is your iptables source code directory? [/usr/src/iptables]enter your iptables source directory

Welcome to Patch-o-matic ($Revision: 6577 $)!

You'll get some informational output, and this prompt: >

The SIP conntrack/NAT modules support the connection tracking/NATing of
the data streams requested on the dynamic RTP/RTCP ports, as well as mangling
of SIP requests/responses.

Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

Excellent! Source trees are ready for compilation.

When you configure your kernel, select the SIP support option in Networking -> Networking support -> Networking options -> Network packet filtering -> IP: Netfilter Configuration.

iptables Configuration
When your shiny new kernel is up and running, load the ip_conntrack_sip and ip_nat_sip modules. Then add these rules to your iptables script, using your own WAN IP address:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source [wan_ip]

This should make all SIP endpoints behind a NAT firewall happy, whether you're using services like Vonage, Wengo, and Gizmo, or running your own VoIP server like Asterisk.

Kernel Sources Kraziness
Are you lost, alone, dazed, and confused when it comes to finding kernel sources? Don't worry, you're not alone at all. Every distribution has its own weird way of packaging kernel sources. You should stick with the kernel sources for your distribution, because each one applies its own set of kernel patches, and gosh knows what's going to break if you use a vanilla kernel. The *buntu family supplies the linux-source package. This automatically gives you the correct version for your *buntu release. Debian has linux-source-[version number]. See the Debian kernel FAQ for more information.

Fedora stuffs the kernel sources into an SRPM, kernel-[version] .src.rpm. For all the gory Fedora details, visit Section 8 of the Fedora release notes.

VoIP Routing Help at
While we're on the subject of SIP routing issues, check out This site contains router configurations for zillions of VoIP service providers and herds of routers of all kinds, including the little cheapie home broadband routers. But it doesn't stop there- it also supplies configuration for games and services: Grand Theft Auto, Hoyle Games, World of Warcraft, UltraVNC, BitTorrent, Terminal Services, WarezP2P, ShoutCast, you name it- it's all there.

Live iptables Monitoring
Want to see your iptables firewall in action, in real-time? Use the iptstate command. This shows all activity in a top-style display:

  IPTables - State Top
Version: 1.3          Sort: SrcIP           s to change sorting
Source                Destination       Proto   State        TTL,3834,123  udp     0:00:28,3822,123    udp     0:02:53,3828,123  udp     0:02:47,43496,22     tcp     ESTABLISHED  119:59:59,57252,8080  tcp     ESTABLISHED   29:43:53,57505,80      tcp     ESTABLISHED    3:48:32

iptstate has a number of useful commands, such as setting the refresh interval, sorting by different columns values, resolving domain names, and a number of interactive commands to use while it's running. Read the fine man page to learn them all.

AstLinux: Big Power In A Tiny Package
While we're on the subject of VoIP, the most interesting Asterisk implementation is AstLinux. AstLinux is the brainchild of Kristian Kielhofner. Mr. Kielhofner decided that building a complete iPBX that included a customized operating system would be a lovely thing. AstLinux is the result: a sleek, streamlined Linux distribution that contains only the pertinent bits for an efficient, fully-featured iPBX.

AstLinux comes in a number of different images: a bootable ISO/liveCD for any x86 system, compact flash images for VIA mini-ITX boards, Soekris and PC Engines single-board computers, and even a Gumstix image. AstLinux occupies a puny 40 megabytes of space, so it even installs on routerboards with non-expandable onboard CF. You'll need a separate storage drive for log and data files even if you have a large cf card, because you don't want to pummel Flash cards with a lot of writes. This is a nice way to set up an Asterisk server in any case: use a specialized box for call routing, and offload voicemail and logfile storage to a separate machine.

If AstLinux is missing some feature that you want, get the AstLinux Development Environment to customize it to your specs.


Add to | DiggThis

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved