How to use conntrack to allow SIP traffic

Question

I have the following problem:

Device (eth0)----> SWITCH(trunk)+VLAN120 ---> (PC1)
                                +VLAN200 ---> (PC2)

I am able to ping from PC1 to PC2 which are in different SUBNETS as above: Using NAT rules in iptables as below since they are in diferent SUBNETS

iptables -t nat -A POSTROUTING -o eth0.120 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0.200 -j MASQUERADE

iptables -I FORWARD -i eth0.120 -o eth0.200 -p udp -m udp --dport 5060 -j ACCEPT
iptables -I FORWARD -i eth0.200 -o eth0.120 -p udp -m udp --dport 5060 -j ACCEPT
iptables -A FORWARD -j DROP  ---> This drops rest of the traffic.

WITHOUT the last DROP rule in FORWARD chain, I was able to establish a SIP connection.

However since I added the DROP rule to eliminate other traffic, I am not able to establish a SIP connection.

This means there are some other ports that the client and server are communicating through. In tcp dump it says 8000 sometimes 5435. This other port changes everytime.

So I read that Application level gateway can help in solving this problem.

How can I use ALG with iptables for allowing dynamic ports.

Answer 1

so i have managed to get this working:

First of all NAT is not required as suggested by Michael.

Now to allow SIP at port 5060 I used following rules:

iptables -D FORWARD -j delegate_forward;

iptables -D FORWARD -j DROP
iptables -I FORWARD -i eth0.120 -o eth0.200 -m state --state RELATED,ESTABLISHED -j ACCEPT;
iptables -I FORWARD -i eth0.200 -o eth0.120 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i eth0.120 -o eth0.200 -p tcp --dport 5060 -m state --state NEW -j ACCEPT;
iptables -I FORWARD -i eth0.200 -o eth0.120 -p tcp --dport 5060 -m state --state NEW -j ACCEPT;

iptables -A FORWARD -i eth0.120 -o eth0.200 -p icmp -j ACCEPT;
iptables -A FORWARD -i eth0.200 -o eth0.120 -p icmp -j ACCEPT;

iptables -A FORWARD -j DROP;

And it works.