Unable to have SIP call through the firewall

I’m trying to expose my asterisk server ports to be able to make a call from a remote location.
I’m having this exact problem:

I tried the solution proposed by Nas in that post.
In my /etc/shorewall/shorewall.conf I have:


but it seems to be ignored since

lsmod|grep sip
nf_conntrack_sip 33860 2
nf_conntrack 111302 30 nf_nat_ftp,nf_nat_irc,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,nf_conntrack_proto_udplite,nf_nat,xt_state,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_proto_sctp,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp

shows the module loaded and used (since it is used I’m not able to rmmod it).

My nethserver version is:
NethServer release 7.3.1611 (Final)

Hi @fmagni,

I tried it and could manage starting shorewall without the modules you don’t want.
What I did:

Prepare template-custom to save changes even after reboot or update:

mkdir -p /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf/

Create /etc/e-smith/templates-custom/etc/shorewall/shorewall.conf/91DONTLOADSIP and write 2 params:


Then apply your custom config to shorewall.conf:

# apply config changes in 60options to shorewall.conf
expand-template /etc/shorewall/shorewall.conf
# Clear shorewall to be able to kick the unwanted modules
shorewall clear
# unload the modules
rmmod nf_nat_sip nf_conntrack_sip
# restart shorewall
systemctl restart shorewall
# Now this command should return nothing
lsmod|grep sip



Thank you, Markus.
I missed
in my 60options files.

Now I don’t have the modules enabled and can go on testing. :slight_smile:


Hi Fabrizio,
is it solved? Than mark the answer as solution please.

1 Like

we have in development a feature related to this

1 Like