SIP connection tracking and NAT for Netfilter.

Christian Hentschel

The SIP conntrack/NAT extension support the connection tracking/NATing of the data streams requested on the dynamic RTP/RTCP ports of a SIP session, as well as mangling of SIP requests/responses.

This few lines explains howto configure Netfilter framework to get this ALG work.


The lastest patches are maintained in the Netfiler patch-o-matic-ng subversion repository.

Get the latest svn snapshot from:

Applying sip-conntrack-nat patches.

Simply do ./runme sip-conntrack-nat in the directory containing the package's source code.
You'll have to compile the kernel modules, selecting the 'SIP support' option in the kernel configuration menu.

note: This assumes that you already have Linux >= 2.6.11 kernel and iptables sources in your box. patch-o-matic needs them.

To get more information about Netfilter extensions, see the Netfilter Extensions HOWTO

Using sip-conntrack-nat

Once you've recompiled the kernel, make sure you load the modules.

Wookie:/home/chentschel#modprobe ip_conntrack_sip ip_nat_sip Wookie:/home/chentschel# lsmod | grep ip_nat_sip ip_nat_sip 4288 0 ip_conntrack_sip 6544 1 ip_nat_sip iptable_nat 20444 1 ip_nat_sip ip_conntrack 38808 3 ip_nat_sip,ip_conntrack_sip,iptable_nat Wookie:/home/chentschel#

Netfilter will take care of the conntracking and NAT of SIP packets now, but don't forget the iptables rules. Examples as follows:

Set iptables rules to allow UDP packets on port 5060:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p udp --dport 5060 -j ACCEPT

And NAT as follows:

iptables -A FORWARD -o eth0 -p udp --dport 5060 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

(C) 2005 Christian Hentschel. Licenced under the GNU GPL.