Check also the FAQ in the siproxd package.
Scenario:
private IP address range : Internet
10.0.0.x : (public IP address range)
:
: foo.bar.org
+-------------+ +--------------+
! !.10 .1 ! masquerading ! publicIP
! IntHost !---------------! Firewall !------------>>
! ! ! !
+-------------+ +--------------+
eth0 : ppp0The Firewall does IP masquerading and is running siproxd. IntHost is running an SIP softphone (like linphone, kphone). The SIP address used by the softphone is sip:johndoe@foo.bar.org. The softphone is configured to register itself at siproxd running on the firewall host (10.0.0.1) as sip:johndoe@foo.bar.org. Foo.bar.org is the domain name corresponding to the public IP address of the firewall (e.g. use some dynamic DNS service like DynDNS).
Firewall configuration (iptables):
# allow incoming SIP and RTP traffic iptables -A INPUT -m udp -p udp -i ppp0 --dport 5060 -j ACCEPT iptables -A INPUT -m udp -p udp -i ppp0 --dport 7070:7089 -j ACCEPT
Firewall configuration (ipchains):
# allow incoming SIP and RTP traffic ipchains -A input --proto udp --dport 5060 -j ACCEPT ipchains -A input --proto udp --dport 7070:7089 -j ACCEPT
The first line will allow incoming SIP traffic. The second line will allow incoming RTP traffic on the ports 7070 - 7089 (the default port range used by siproxd for incoming RTP traffic).