Hi fellows,

I have a very weird case in my firewall.

I have an asterisk server and some phones and between them there is a linux firewall based on iptables.

With basic rules on iptables everything works ok, but when I put a single nat rule (no matter what rule I use) some packets from some phones misteriously disappear from interfase to interfase.

Clearer:
The firewall has two interfases: eth0 (pointing to phones) and eth2 (pointing to asterisk).

One problematic phone is 192.168.3.242, so I use tcpdump this way.

Code:
[prompt] tcpdump -i eth0 src 192.168.3.242
15:30:42.882384 IP 192.168.3.242.sip > 192.168.60.101.sip: SIP, length: 626
15:30:43.881547 IP 192.168.3.242.sip > 192.168.60.101.sip: SIP, length: 626
15:30:45.881193 IP 192.168.3.242.sip > 192.168.60.101.sip: SIP, length: 626
Using -vvv I can see it is a SIP udp REGISTER request to the asterisk server (192.168.60.101).

With no nat in the firewall I use "-i eth2" and I can see the packet, so the packet reach the server and works ok. But when there is nat present in the firewall I can not see the packet on eth2.

The packet is always present in eth0.
The nat I use has nothing to do with the ips or ports involved, even only empty nat accept rules like the following is enough to make the packets disappear:

Code:
*nat
:PREROUTING ACCEPT [351972:20012909]
:POSTROUTING ACCEPT [271654:13563320]
:OUTPUT ACCEPT [23093:1426014]
COMMIT
I log everything denied and nothing appears.
I've trying logging state INVALID and there was not there either.

I have no clue where to find the packet or why is gone.

Could it be a netfilter conntrack issue?
Could it be a hardware issue?

I'm not expert in SIP protocol but packet looks ok... and travels fine when nat is gone so I suppose the phone is ok.

Please help me with this, or advise me please where to post this.

Thanks in advance!

Juan M.