VoIPowering Your Office with Asterisk: Getting SIP through Firewalls, Part 2

Last week we looked at some ways to get standalone SIP clients past iptables
NAT firewalls. Here’s the executive summary: Every VoIP service has different
requirements, so be sure to find the documentation for your particular service.
But what about your Asterisk server? You have SIP clients that need attention
too.

IAXed you first
First let’s look at something that’s a little easier: using IAX trunks. IAX
is a more NAT-friendly protocol because it only needs a single port. If you
set up IAX trunks between servers, then your SIP traffic will waltz happily
through your IAX trunk to your SIP endpoints. This works great when you have
some control over the servers—for example, between branch offices. (Not
not all VoIP servers support IAX, so it’s a not 100 percent solution.) Then
all you need is a nice iptables rule to let the IAX traffic in:

/sbin/iptables -A INPUT -p udp --dport 4569 -j ACCEPT


If you also need to explicitly allow outgoing traffic, do this:

/sbin/iptables -A OUTPUT -p udp --dport 4569 -j ACCEPT

You’ll probably still need to provide a means for SIP traffic to navigate
your perilous NAT firewall, so here is how. At long last the SIP connection-tracking
module for iptables is ready for prime time. It is included in the 2.6.18 kernel,
which will show up in your chosen Linux distribution soon. But you don’t have
to wait; you can have it now. This means applying the iptables patch to your
kernel sources, and building and installing a new kernel. It’s really not that
hard—see Tips
and Tricks for the Linux Network Admin
to learn how.

IAXy, the cute solution
The IAXy
(pronounced eek-see) is a great little widget for travelers. It’s a tiny Ethernet-to-ATA
(analog telephone adapter) that you configure to phone home to your Asterisk
server. It’s NAT-aware and uses the IAX protocol, so you won’t have any NAT
hassles. Then no matter where you are you can route your calls through your
server, which will save you toll charges and let you pester your homebound co-workers
for free. It’s a cute little thing smaller than an an Altoids tin, with a red
power light and a blue network light. It’s sleek and all the other roadwarriors
will envy you, which is enough to justify the $99 price tag. As long as you
can get to an analog phone and broadband Internet you’re good to go.

There are a few steps to setting it up: Connect it to your LAN, configure
it, then create a configuration for it on your Asterisk server. You need a DHCP
server on your LAN. Configuring the little bugger is rather more geeky than
it needs to be, but it’s what we have to work with.

Plugging the little guy in requires a specific order. Do not deviate or bad things will happen:

  1. Plug in the telephone cord
  2. Plug in the Ethernet cable
  3. Plug in the power

You have to capture the address assigned to it by your DHCP server. (This is the seriously clunky bit.) One way is to monitor the syslog on your DHCP server, like this example using the tail command:

# tail -f /var/log/messages


Or, if you’re using ISC’s DHCPD like a good little Linux geek, just check the /var/lib/dhcp3/dhcpd.leases file. While you’re in there, make a note of the MAC address of the IAXy:

lease 192.168.200.198 {
  starts 3 2006/10/04 23:10:04;
  ends 3 2006/10/04 23:11:04;
  tstp 3 2006/10/04 23:11:04;
  binding state free;
  hardware ethernet 00:0d:b9:05:25:b4;
}


Then take that hardware address and make a permanent IP address assignment so you don’t have to go through this again:

#/etc/dhcp3/dhcpd.conf
host iaxy{
    hardware ethernet 00:0d:b9:05:25:b4;
    fixed-address 192.168.200.225;
    }


Of course if you’re using a different DHCP server you’ll have to figure out another way to do all this, but the principles are the same.

Next, download the IAXy files from Digium.com to your PC. Put them in the /usr/src/ directory:

# svn co http://svn.digium.com/svn/iaxyprov/trunk
# cd trunk
# ls -1
frame.h
iax2.h
iaxy.conf.sample
iaxydebug.c
Makefile
provision.c
provision.h


Run the make command. Then open iaxy.conf.sample and enter your settings:

;
; IAXY Provisioning description
;
dhcp
codec: ulaw
server: [IP address of your Asterisk server]
;altserver: [if you have a second Asterisk server for fallback]
user: [your login name, from /etc/asterisk.iax.conf]
pass: [your password, from /etc/asterisk.iax.conf]
register


Save it as iaxy.conf. Now hie thee to your Asterisk server and edit /etc/asterisk/iax.conf, using your own login, password, and context:

[carlas-iaxy]
type=friend
username=carliaxy
secret=dontlook
context=default
disallow=all
allow=ulaw


Reload the changes:

# asterisk -rx reload


Now go across the street to borrow a neighbor’s phone and test it out. Then hop on a plane to somewhere fun to give it more live-fire testing. After all, one must be thorough.

Don’t forget to download the user’s manual.

Other vendors such as Sipura make similar devices, so don’t be shy about shopping around.

Resources
Asterisk: The Future of Telephony free downloadable book
The Digium S101i

Latest Articles

Follow Us On Social Media

Explore More