DEV Community

Carl Schmidt
Carl Schmidt

Posted on

Symmetric NAT in iptables?

We (I'm not the developer) are using iptables to redirect/forward packets for SIP/UDP port 5060 to/from virtual IP addresses to the static interface IP for use on a SIP load balancer (ingress <--> LB <--> egress).

My trouble is when the egress side initiates a BYE (ends the call) the LB (load balancer) uses a different port other than port 5060 when forwarding the BYE packet to the ingress side. This condition ONLY occurs is the call is connected (duration) for some time less than 120 seconds. Calls connected greater than 120 seconds are sourced from port 5060 as expected.

My SIP application (opensips) has no configuration which would alter the src port so we are convinced this is an action done by iptables, but are not experienced enough. How can ensure iptables using symmetric NAT and retains src port 5060?

Any and all feedback is much appreciated!!!

Below is my iptables configuration.

root@wsvelb-mstwn-a2p dLBM]# iptables -L PREROUTING -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 192.168.1.56 udp dpt:5060 /* edge 0 192.168.1.56 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.57 udp dpt:5060 /
edge 0 192.168.1.57 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.58 udp dpt:5060 /
edge 0 192.168.1.58 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.59 udp dpt:5060 /
edge 0 192.168.1.59 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.60 udp dpt:5060 /
edge 0 192.168.1.60 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.61 udp dpt:5060 /
edge 0 192.168.1.61 / to:192.168.1.55:5060
DNAT udp -- 0.0.0.0/0 192.168.1.62 udp dpt:5060 /
edge 0 192.168.1.62 */ to:192.168.1.55:5060

[root@wsvelb-mstwn-a2p dLBM]# iptables -L PREROUTING -n -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK udp -- 0.0.0.0/0 192.168.1.56 udp dpt:5060 /* edge 0 192.168.1.56 / MARK set 0x41610b38
MARK udp -- 0.0.0.0/0 192.168.1.57 udp dpt:5060 /
edge 0 192.168.1.57 / MARK set 0x41610b39
MARK udp -- 0.0.0.0/0 192.168.1.58 udp dpt:5060 /
edge 0 192.168.1.58 / MARK set 0x41610b3a
MARK udp -- 0.0.0.0/0 192.168.1.59 udp dpt:5060 /
edge 0 192.168.1.59 / MARK set 0x41610b3b
MARK udp -- 0.0.0.0/0 192.168.1.60 udp dpt:5060 /
edge 0 192.168.1.60 / MARK set 0x41610b3c
MARK udp -- 0.0.0.0/0 192.168.1.61 udp dpt:5060 /
edge 0 192.168.1.61 / MARK set 0x41610b3d
MARK udp -- 0.0.0.0/0 192.168.1.62 udp dpt:5060 /
edge 0 192.168.1.62 */ MARK set 0x41610b3e

[root@wsvelb-mstwn-a2p dLBM]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3d /* edge 0 192.168.1.61 /
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3c /
edge 0 192.168.1.60 /
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3a /
edge 0 192.168.1.58 /
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b38 /
edge 0 192.168.1.56 /
EDGE11 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b39 /
edge 0 192.168.1.57 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3d /
edge 0 192.168.1.61 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3c /
edge 0 192.168.1.60 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3a /
edge 0 192.168.1.58 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b38 /
edge 0 192.168.1.56 /
EDGE16 udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 mark match 0x41610b3b /
edge 0 192.168.1.59 */

Reinvent your career. Join DEV.

It takes one minute and is worth it for your career.

Get started

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay