VoIPowering Your Office with Asterisk: Getting SIP through Firewalls, Part 2

By Carla Schroder | Oct 23, 2006 | Print this Page
http://www.enterprisenetworkingplanet.com/unified_communications/VoIPowering-Your-Office-with-Asterisk-Getting-SIP-through-Firewalls-Part-2-3639451.htm

Last week we looked at some ways to get standalone SIP clients past iptables NAT firewalls. Here's the executive summary: Every VoIP service has different requirements, so be sure to find the documentation for your particular service. But what about your Asterisk server? You have SIP clients that need attention too.

IAXed you first
First let's look at something that's a little easier: using IAX trunks. IAX is a more NAT-friendly protocol because it only needs a single port. If you set up IAX trunks between servers, then your SIP traffic will waltz happily through your IAX trunk to your SIP endpoints. This works great when you have some control over the servers—for example, between branch offices. (Not not all VoIP servers support IAX, so it's a not 100 percent solution.) Then all you need is a nice iptables rule to let the IAX traffic in:

/sbin/iptables -A INPUT -p udp --dport 4569 -j ACCEPT
If you also need to explicitly allow outgoing traffic, do this:
/sbin/iptables -A OUTPUT -p udp --dport 4569 -j ACCEPT

You'll probably still need to provide a means for SIP traffic to navigate your perilous NAT firewall, so here is how. At long last the SIP connection-tracking module for iptables is ready for prime time. It is included in the 2.6.18 kernel, which will show up in your chosen Linux distribution soon. But you don't have to wait; you can have it now. This means applying the iptables patch to your kernel sources, and building and installing a new kernel. It's really not that hard—see Tips and Tricks for the Linux Network Admin to learn how.

IAXy, the cute solution
The IAXy (pronounced eek-see) is a great little widget for travelers. It's a tiny Ethernet-to-ATA (analog telephone adapter) that you configure to phone home to your Asterisk server. It's NAT-aware and uses the IAX protocol, so you won't have any NAT hassles. Then no matter where you are you can route your calls through your server, which will save you toll charges and let you pester your homebound co-workers for free. It's a cute little thing smaller than an an Altoids tin, with a red power light and a blue network light. It's sleek and all the other roadwarriors will envy you, which is enough to justify the $99 price tag. As long as you can get to an analog phone and broadband Internet you're good to go.

There are a few steps to setting it up: Connect it to your LAN, configure it, then create a configuration for it on your Asterisk server. You need a DHCP server on your LAN. Configuring the little bugger is rather more geeky than it needs to be, but it's what we have to work with.

Plugging the little guy in requires a specific order. Do not deviate or bad things will happen:

  1. Plug in the telephone cord
  2. Plug in the Ethernet cable
  3. Plug in the power
You have to capture the address assigned to it by your DHCP server. (This is the seriously clunky bit.) One way is to monitor the syslog on your DHCP server, like this example using the tail command:
# tail -f /var/log/messages
Or, if you're using ISC's DHCPD like a good little Linux geek, just check the /var/lib/dhcp3/dhcpd.leases file. While you're in there, make a note of the MAC address of the IAXy:
lease 192.168.200.198 {
  starts 3 2006/10/04 23:10:04;
  ends 3 2006/10/04 23:11:04;
  tstp 3 2006/10/04 23:11:04;
  binding state free;
  hardware ethernet 00:0d:b9:05:25:b4;
}
Then take that hardware address and make a permanent IP address assignment so you don't have to go through this again:
#/etc/dhcp3/dhcpd.conf

host iaxy{
    hardware ethernet 00:0d:b9:05:25:b4;
    fixed-address 192.168.200.225;
    }
Of course if you're using a different DHCP server you'll have to figure out another way to do all this, but the principles are the same.

Next, download the IAXy files from Digium.com to your PC. Put them in the /usr/src/ directory:

# svn co http://svn.digium.com/svn/iaxyprov/trunk
# cd trunk
# ls -1
frame.h
iax2.h
iaxy.conf.sample
iaxydebug.c
Makefile
provision.c
provision.h
Run the make command. Then open iaxy.conf.sample and enter your settings:
;
; IAXY Provisioning description
;
dhcp
codec: ulaw
server: [IP address of your Asterisk server]
;altserver: [if you have a second Asterisk server for fallback]
user: [your login name, from /etc/asterisk.iax.conf]
pass: [your password, from /etc/asterisk.iax.conf]
register
Save it as iaxy.conf. Now hie thee to your Asterisk server and edit /etc/asterisk/iax.conf, using your own login, password, and context:
[carlas-iaxy]
type=friend
username=carliaxy
secret=dontlook
context=default
disallow=all
allow=ulaw
Reload the changes:
# asterisk -rx reload
Now go across the street to borrow a neighbor's phone and test it out. Then hop on a plane to somewhere fun to give it more live-fire testing. After all, one must be thorough.

Don't forget to download the user's manual.

Other vendors such as Sipura make similar devices, so don't be shy about shopping around.

Resources
Asterisk: The Future of Telephony free downloadable book
The Digium S101i