I have an asterisk server#1 (privateIP1) behind a plain old wifi access point (PublicIP1) in one city and another asterisk server#2 (privateIP2) behind an ubuntu server (acting as a gateway with PublicIP2) in another city.
So, both asterisk servers are hidden behind routers using NAT but port forwards are activated on both sides to port udp 4569 to each respective asterisk server. I watch the communication between them as such:
tcpdump for port 4569 on privateIP1 (asterisk#1):
(PrivateIP1) > (PublicIP2) (asterisk#1 trying to get out to the internet to where PublicIP2 is)
(PublicIP2) > (PrivateIP1) (asterisk#1 receiving a packet from the internet)
That looks great. PrivateIP1 thinks it's having a conversation with PublicIP2 because it sends packets there and the packets return from there. It doesn't know that the packets are forwarded by PublicIP2 to PrivateIP2 and then reversed on the way back. It never sees PublicIP1 or PrivateIP2 on the packets. Great.
Now, tcpdump on privateIP2 (asterisk#2):
(PrivateIP2) > (PublicIP1) (asterisk#2 trying to get out to the internet where PublicIP1 is)
(PublicIP2) > (PrivateIP2) (asterisk#2 receiving a packet from the internet)
Do you see what's wrong there? PrivateIP2 knows to reach out to PublicIP1 but the responding packets aren't coming back from PublicIP1, they're coming back from PublicIP2 which is the ubuntu server gateway in front of PrivateIP2. That's not good. I want the same idea as the first scenario.
Here are my iptables rules on the ubuntu server. The first two rules let anyone in the PrivateIP2 network out: (everyone is a 192.168.1.* IP including the asterisk server and they all come in on iface p1p1 and leave on iface em1)
Code:
-t nat -A POSTROUTING -s 192.168.1.0/24 -o em1 -j SNAT --to (PublicIP2)
-A FORWARD -i em1 -o p1p1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Those seem to work fine. Everyone on the inside can get out to the internet. In fact, I can even make outgoing calls on my asterisk server through its trunk on port 4569 to PublicIP1.
Here are the specific rules for the port forward:
Code:
IPTABLES -t nat -A PREROUTING -s (PublicIP1) -d (PublicIP2) -p udp --dport 4569 -j DNAT --to-destination (PrivateIP2)
IPTABLES -A FORWARD -s (PublicIP1) -p udp --dport 4569 -j ACCEPT
That nat rule should be leaving the source IP address of the incoming packet alone and only changing the destination. The source should stay as PublicIP1. For some reason, the packet is being changed before it reaches asterisk#2 to have originated from PublicIP2.
Anyone have any idea what's going on? This was all going well before I replaced the walmart router in front of asterisk#2 with the ubuntu server. It's got to be something with my iptable rules.
Bookmarks