Назад | Перейти на главную страницу

IPTABLES перенаправление портов на SIP UDP не работает

У меня есть сервер Asterisk, настроенный на транк с Bandwidth.com. Похоже, что SIP-сервер нормально работает во внутренней сети, в сети 10.0.0.0/8. IP-адрес центрального маршрутизатора - 10.0.0.1, а УАТС - 10.0.3.1.

Я могу совершать исходящие SIP-вызовы с местного софтфона, добавочный номер 33001, и звонки проходят. Но когда я пытаюсь набрать номер с внешней линии, он звонит «занято». Я включил подробное ведение журнала на сервере Asterisk (FreePBX) и не вижу никаких признаков того, что вызов проходит.

Затем я отступаю и решаю попробовать проверить, могу ли я зарегистрировать тот же программный телефон из внешнего подключения (с использованием общедоступного IP-адреса), и я вижу, что трафик попадает на внешний сетевой адаптер на центральном маршрутизаторе, но я его не вижу доступ к серверу Asterisk по адресу 10.0.3.1. Поэтому я пришел к выводу, что переадресация портов IPTables настроена неправильно. Ниже приведен мой файл rc.local, в который я загружаю свой IPTable.

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

sysctl -w net.ipv4.ip_forward=1
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#####iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#ip route change to default dev eth1 via 12.34.56.78
#ip route change to default dev eth0 via 12.34.56.79
#sudo ip route change to default dev eth0
###########Change to eth0 COMCAST ##################################################
ip route change to default dev eth0 via 192.168.0.1
#ip route change to default dev eth1 via 12.34.56.78
iptables -A FORWARD -i eth2 -j ACCEPT

#### FORWARD ALL EXTERNAL TRAFFIC FROM INTERNAL INTERFACE DESTINED FOR OWN PUBLIC INTERFACE BACK TO MAIN WEB SERVER ####
iptables -t nat -I PREROUTING -d 12.34.56.78 -j DNAT --to-destination 10.0.4.1
iptables -t nat -I PREROUTING -d 12.34.56.79 -j DNAT --to-destination 10.0.4.1
iptables -t nat -I POSTROUTING -o eth2 -j MASQUERADE

# Set up port forwarding on linux box...
# iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.2:8080
# iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8080 -j ACCEPT


###HTTP Forwarding Rule###
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.4.1:80
iptables -A FORWARD -p tcp -d 10.0.4.1 --dport 80 -j ACCEPT
###HTTPS Forwarding Rule###
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.4.1:443
iptables -A FORWARD -p tcp -d 10.0.4.1 --dport 443 -j ACCEPT
###WEBMIN
#iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 10000 -j DNAT --to 10.0.4.1:10000
#iptables -A FORWARD -p tcp -d 10.0.4.1 --dport 10000 -j ACCEPT

#iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to 10.0.4.1:443
#iptables -A FORWARD -p tcp -d 10.0.4.1 --dport 443 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 9898 -j DNAT --to 10.9.8.7:9898
iptables -A FORWARD -p tcp -d 10.9.8.7 --dport 9898 -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 2222 -j DNAT --to 10.0.14.1:22
iptables -A FORWARD -p tcp -d 10.0.14.1 --dport 22 -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 5900 -j DNAT --to 10.9.8.7:5900
iptables -A FORWARD -p tcp -d 10.9.8.7 --dport 5900 -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 21 -j DNAT --to 10.9.8.7:21
iptables -A FORWARD -p tcp -d 10.9.8.7 --dport 21 -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 20 -j DNAT --to 10.9.8.7:20
iptables -A FORWARD -p tcp -d 10.9.8.7 --dport 20 -j ACCEPT

#unms ports and ucrm

#iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8080 -j DNAT --to 10.100.0.1:8080
#iptables -A FORWARD -p tcp -d 10.100.0.1 --dport 8080 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8443 -j DNAT --to 10.100.0.1:8443
iptables -A FORWARD -p tcp -d 10.100.0.1 --dport 8443 -j ACCEPT

#iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8081 -j DNAT --to 10.100.0.1:80
#iptables -A FORWARD -p tcp -d 10.100.0.1 --dport 8081 -j ACCEPT
#iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8444 -j DNAT --to 10.100.0.1:443
#iptables -A FORWARD -p tcp -d 10.100.0.1 --dport 8444 -j ACCEPT

#sip forwarding for sip trunking providers...

iptables -A PREROUTING -t nat -i eth0 -p udp --dport 5060 -j DNAT --to 10.0.3.1:5060
iptables -A FORWARD -p udp -d 10.0.3.1 --dport 5060 -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p udp --dport 5061 -j DNAT --to 10.0.3.1:5061
iptables -A FORWARD -p udp -d 10.0.3.1 --dport 5061 -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p udp --dport 5160 -j DNAT --to 10.0.3.1:5160
iptables -A FORWARD -p udp -d 10.0.3.1 --dport 5160 -j ACCEPT

iptables -A PREROUTING -t nat -i eth0 -p udp --dport 5161 -j DNAT --to 10.0.3.1:5161
iptables -A FORWARD -p udp -d 10.0.3.1 --dport 5161 -j ACCEPT


### This section is reserved for Comcast Business backup lines
###   to allow multiple addresses to host the same sites.
###   If changing a port, change it here also!!

###HTTP Forwarding Rule CMCST-BIZ###
#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 10.0.4.1:80
#iptables -A FORWARD -p tcp -d 10.0.4.1 --dport 80 -j ACCEPT
###HTTPS Forwarding Rule CMCST-BIZ###
#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 443 -j DNAT --to 10.0.4.1:443
#iptables -A FORWARD -p tcp -d 10.0.4.1 --dport 443 -j ACCEPT
###WEBMIN
#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 10000 -j DNAT --to 10.0.4.1:10000
#iptables -A FORWARD -p tcp -d 10.0.4.1 --dport 10000 -j ACCEPT

#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 443 -j DNAT --to 10.0.4.1:443
#iptables -A FORWARD -p tcp -d 10.0.4.1 --dport 443 -j ACCEPT
#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 9898 -j DNAT --to 10.9.8.7:9898
#iptables -A FORWARD -p tcp -d 10.9.8.7 --dport 9898 -j ACCEPT

#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 2222 -j DNAT --to 10.0.14.1:22
#iptables -A FORWARD -p tcp -d 10.0.14.1 --dport 22 -j ACCEPT

#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 5900 -j DNAT --to 10.9.8.7:5900
#iptables -A FORWARD -p tcp -d 10.9.8.7 --dport 5900 -j ACCEPT

#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 21 -j DNAT --to 10.9.8.7:21
#iptables -A FORWARD -p tcp -d 10.9.8.7 --dport 21 -j ACCEPT

#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 20 -j DNAT --to 10.9.8.7:20
#iptables -A FORWARD -p tcp -d 10.9.8.7 --dport 20 -j ACCEPT

#unms ports and ucrm CMCST-BIZ###

#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 8080 -j DNAT --to 10.100.0.1:8080
#iptables -A FORWARD -p tcp -d 10.100.0.1 --dport 8080 -j ACCEPT
#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 8443 -j DNAT --to 10.100.0.1:8443
#iptables -A FORWARD -p tcp -d 10.100.0.1 --dport 8443 -j ACCEPT

#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 8081 -j DNAT --to 10.100.0.1:80
#iptables -A FORWARD -p tcp -d 10.100.0.1 --dport 8081 -j ACCEPT
#iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 8444 -j DNAT --to 10.100.0.1:443
#iptables -A FORWARD -p tcp -d 10.100.0.1 --dport 8444 -j ACCEPT

#sip forwarding for sip trunking providers... CMCST-BIZ###

#iptables -A PREROUTING -t nat -i eth1 -p udp --dport 5060 -j DNAT --to 10.0.6.1:5060
#iptables -A FORWARD -p udp -d 10.0.6.1 --dport 5060 -j ACCEPT

#iptables -A PREROUTING -t nat -i eth1 -p udp --dport 5061 -j DNAT --to 10.0.6.1:5061
#iptables -A FORWARD -p udp -d 10.0.6.1 --dport 5061 -j ACCEPT

ifconfig eth0 add 192.168.0.50





exit 0

Ниже приведены текущие правила IPTables (с использованием iptables -S).

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -d 10.0.4.1/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 10.0.4.1/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 10.9.8.7/32 -p tcp -m tcp --dport 9898 -j ACCEPT
-A FORWARD -d 10.0.14.1/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 10.9.8.7/32 -p tcp -m tcp --dport 5900 -j ACCEPT
-A FORWARD -d 10.9.8.7/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 10.9.8.7/32 -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -d 10.100.0.1/32 -p tcp -m tcp --dport 8443 -j ACCEPT
-A FORWARD -d 10.0.3.1/32 -p udp -m udp --dport 5060 -j ACCEPT
-A FORWARD -d 10.0.3.1/32 -p udp -m udp --dport 5061 -j ACCEPT
-A FORWARD -d 10.0.3.1/32 -p udp -m udp --dport 5160 -j ACCEPT
-A FORWARD -d 10.0.3.1/32 -p udp -m udp --dport 5161 -j ACCEPT
-A fail2ban-ssh -s 58.162.140.172/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 106.12.181.184/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 203.110.166.51/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 51.83.74.158/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 194.61.26.34/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 177.19.181.10/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 218.92.0.167/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 222.186.42.241/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 209.97.169.85/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 222.186.42.163/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 49.88.112.85/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 188.165.194.169/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 54.37.68.66/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 171.221.230.220/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 37.187.46.74/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 194.61.24.26/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 49.88.112.90/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 219.250.188.133/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 172.245.90.230/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 128.199.203.236/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 81.174.227.27/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 213.182.94.121/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 201.47.158.130/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 157.230.36.189/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 218.92.0.187/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 86.42.91.227/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 142.93.203.108/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 154.66.219.20/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 112.85.42.87/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 213.32.52.1/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 106.12.148.155/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 222.186.30.165/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 222.186.42.94/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 173.241.21.82/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 167.71.55.1/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 222.186.52.124/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 164.132.98.75/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 200.194.15.253/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 49.88.112.78/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 210.178.94.230/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 222.186.42.15/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -s 222.186.15.160/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN

Может ли кто-нибудь заметить что-то не так или дать мне совет, как это исправить?