DEV Community

Carl Schmidt
Carl Schmidt

Posted on

Symmetric NAT in iptables?

We (I'm not the developer) are using iptables to redirect/forward packets for SIP/UDP port 5060 to/from virtual IP addresses to the static interface IP for use on a SIP load balancer (ingress <--> LB <--> egress).

My trouble is when the egress side initiates a BYE (ends the call) the LB (load balancer) uses a different port other than port 5060 when forwarding the BYE packet to the ingress side. This condition ONLY occurs is the call is connected (duration) for some time less than 120 seconds. Calls connected greater than 120 seconds are sourced from port 5060 as expected.

My SIP application (opensips) has no configuration which would alter the src port so we are convinced this is an action done by iptables, but are not experienced enough. How can ensure iptables using symmetric NAT and retains src port 5060?

Any and all feedback is much appreciated!!!

Below is my iptables configuration.

root@wsvelb-mstwn-a2p dLBM]# iptables -L PREROUTING -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 192.168.1.56 udp dpt:5060 /* edge 0 192.168.1.56 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.57 udp dpt:5060 /
edge 0 192.168.1.57 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.58 udp dpt:5060 /
edge 0 192.168.1.58 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.59 udp dpt:5060 /
edge 0 192.168.1.59 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.60 udp dpt:5060 /
edge 0 192.168.1.60 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.61 udp dpt:5060 /
edge 0 192.168.1.61 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.62 udp dpt:5060 /
edge 0 192.168.1.62 */ to:192.168.1.55:5060

[root@wsvelb-mstwn-a2p dLBM]# iptables -L PREROUTING -n -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK udp -- 0.0.0.0/0 192.168.1.56 udp dpt:5060 /* edge 0 192.168.1.56 / MARK set 0x41610b38
MARK udp -- 0.0.0.0/0 192.168.1.57 udp dpt:5060 /
edge 0 192.168.1.57 / MARK set 0x41610b39
MARK udp -- 0.0.0.0/0 192.168.1.58 udp dpt:5060 /
edge 0 192.168.1.58 / MARK set 0x41610b3a
MARK udp -- 0.0.0.0/0 192.168.1.59 udp dpt:5060 /
edge 0 192.168.1.59 / MARK set 0x41610b3b
MARK udp -- 0.0.0.0/0 192.168.1.60 udp dpt:5060 /
edge 0 192.168.1.60 / MARK set 0x41610b3c
MARK udp -- 0.0.0.0/0 192.168.1.61 udp dpt:5060 /
edge 0 192.168.1.61 / MARK set 0x41610b3d
MARK udp -- 0.0.0.0/0 192.168.1.62 udp dpt:5060 /
edge 0 192.168.1.62 */ MARK set 0x41610b3e

[root@wsvelb-mstwn-a2p dLBM]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3d /* edge 0 192.168.1.61 /
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3c /
edge 0 192.168.1.60 /
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3a /
edge 0 192.168.1.58 /
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b38 /
edge 0 192.168.1.56 /
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b39 /
edge 0 192.168.1.57 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3d /
edge 0 192.168.1.61 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3c /
edge 0 192.168.1.60 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3a /
edge 0 192.168.1.58 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b38 /
edge 0 192.168.1.56 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3b /
edge 0 192.168.1.59 */

Top comments (0)