There's always something new and progressive in the free and open source software universe. Here's a roundup of some recent worthy happenings in the fun worlds of iptables and VoIP: getting SIP through iptables NAT firewalls, adding new modules to iptables with Patch-O-Matic, monitoring iptables in real-time, and a look at the excellent AstLinux, "the professional's PBX".
iptables and SIP
VoIP users have long struggled with getting SIP (Session Initiation Protocol) through NAT (Network Address Translation) firewalls. Good ole NAT, always gumming up the works. But, as usual, trusty hardworking devs ride to the rescue, and the SIP connection tracking module is ready for prime-time. It will be included in the 2.6.18 kernel. Meanwhile, if you don't mind a bit of patching and kernel-building you can have it now. To do this you need complete kernel sources (not just headers), a 2.6.11 kernel or newer, and iptables sources. Get the iptables sources from Netfilter.org.
Then fetch yourself the latest Patch-O-Matic snapshot from ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/; it's about a 139-kilobyte download. Don't forget to verify the MD5sum. After all, this is only an important security application.
After unpacking Patch-O-Matic, apply the sip-conntrack-nat patch to the kernel sources. Change to the Patch-O-Matic top-level directory and run this command (but make sure to substitute the location of your kernel and iptables source directories when prompted):
$ ./runme sip-conntrack-nat Hey! KERNEL_DIR is not set. Where is your kernel source directory? [/usr/src/linux] enter your kernel source directory Hey! IPTABLES_DIR is not set. Where is your iptables source code directory? [/usr/src/iptables]enter your iptables source directory Welcome to Patch-o-matic ($Revision: 6577 $)!
You'll get some informational output, and this prompt:
The SIP conntrack/NAT modules support the connection tracking/NATing of
the data streams requested on the dynamic RTP/RTCP ports, as well as mangling
of SIP requests/responses.
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
Excellent! Source trees are ready for compilation.
When you configure your kernel, select the SIP support option in Networking -> Networking support -> Networking options -> Network packet filtering -> IP: Netfilter Configuration.
When your shiny new kernel is up and running, load the ip_conntrack_sip and ip_nat_sip modules. Then add these rules to your iptables script, using your own WAN IP address:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j ACCEPT
iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source [wan_ip]
This should make all SIP endpoints behind a NAT firewall happy, whether you're using services like Vonage, Wengo, and Gizmo, or running your own VoIP server like Asterisk.
Kernel Sources Kraziness
Are you lost, alone, dazed, and confused when it comes to finding kernel sources? Don't worry, you're not alone at all. Every distribution has its own weird way of packaging kernel sources. You should stick with the kernel sources for your distribution, because each one applies its own set of kernel patches, and gosh knows what's going to break if you use a vanilla kernel. The *buntu family supplies the linux-source package. This automatically gives you the correct version for your *buntu release. Debian has linux-source-[version number]. See the Debian kernel FAQ for more information.
Fedora stuffs the kernel sources into an SRPM, kernel-[version] .src.rpm. For all the gory Fedora details, visit Section 8 of the Fedora release notes.
VoIP Routing Help at PortForward.com
While we're on the subject of SIP routing issues, check out PortForward.com. This site contains router configurations for zillions of VoIP service providers and herds of routers of all kinds, including the little cheapie home broadband routers. But it doesn't stop there- it also supplies configuration for games and services: Grand Theft Auto, Hoyle Games, World of Warcraft, UltraVNC, BitTorrent, Terminal Services, WarezP2P, ShoutCast, you name it- it's all there.
Live iptables Monitoring
Want to see your iptables firewall in action, in real-time? Use the iptstate command. This shows all activity in a top-style display:
IPTables - State Top
Version: 1.3 Sort: SrcIP s to change sorting
Source Destination Proto State TTL
192.168.1.1,3834 220.127.116.11,123 udp 0:00:28
192.168.1.1,3822 18.104.22.168,123 udp 0:02:53
192.168.1.1,3828 22.214.171.124,123 udp 0:02:47
192.168.1.10,43496 192.168.1.26,22 tcp ESTABLISHED 119:59:59
192.168.1.11,57252 126.96.36.199,8080 tcp ESTABLISHED 29:43:53
192.168.1.25,57505 188.8.131.52,80 tcp ESTABLISHED 3:48:32
iptstate has a number of useful commands, such as setting the refresh interval, sorting by different columns values, resolving domain names, and a number of interactive commands to use while it's running. Read the fine man page to learn them all.
AstLinux: Big Power In A Tiny Package
While we're on the subject of VoIP, the most interesting Asterisk implementation is AstLinux. AstLinux is the brainchild of Kristian Kielhofner. Mr. Kielhofner decided that building a complete iPBX that included a customized operating system would be a lovely thing. AstLinux is the result: a sleek, streamlined Linux distribution that contains only the pertinent bits for an efficient, fully-featured iPBX.
AstLinux comes in a number of different images: a bootable ISO/liveCD for any x86 system, compact flash images for VIA mini-ITX boards, Soekris and PC Engines single-board computers, and even a Gumstix image. AstLinux occupies a puny 40 megabytes of space, so it even installs on routerboards with non-expandable onboard CF. You'll need a separate storage drive for log and data files even if you have a large cf card, because you don't want to pummel Flash cards with a lot of writes. This is a nice way to set up an Asterisk server in any case: use a specialized box for call routing, and offload voicemail and logfile storage to a separate machine.
If AstLinux is missing some feature that you want, get the AstLinux Development Environment to customize it to your specs.
- Tips for Compiling and Installing a Linux 2.6 Kernel
- The Linux 2.6 Kernel Trilogy Ends: Go Configure
- Homer's lucky 13 step guide to a custom Fedora Core kernel RPM