Your setup is pretty identical to what I'm trying except I don't have a linux firewall I have a sonicwall pro. I tried putting the gnugk proxy in a public arena and found that so long as only one of the clients sits behind a natted firewall it does work. However if two of the clients sit behind a natted firewall it won't. Have you considered for security reasons putting you proxy on the DMZ side of the firewall? -----Original Message----- From: Rob Fowler [mailto:security@mianos.com] Sent: Monday, 11 August 2003 3:48 PM To: openh323gk-users@lists.sourceforge.net Subject: [Openh323gk-users] nat tunnelling question I would like to use some VOIP apps. I have/want the following setup: http://www.sarcanthinae.com/misc/aao (if this does not work refresh once). Basically I have a linux firewall and a machine that's on the internet, relatively open. On the inside of the linux firewall (192.168.1.X) address range I have a few VOIP clients (netmeeting, openphone, can be changed). What I would like to do is allow outside people to contact inside people by registering with the gateway running on the outside machine. I have used the following ini files shown at the end of the mail here and running the gatekeeper with ./gnugk -rr -r -t 4 on both ends. On the firewall I have opened up the following ports to allow the control and rtp: .. iptables -A specificallow -m multiport -p tcp -i ppp0 --dport 1721 -j ACCEPT iptables -A specificallow -m multiport -p udp -i ppp0 --dport 1718,1719 -j ACCEPT iptables -A specificallow -p tcp -i ppp0 --dport 1720 -j ACCEPT .. I was thinking that in this mode the gatekeepers should tunnel the voice channel. The control channel seems to work a bit. A couple of simple questions: Is this correct? Will this work? Is this possible? (If I get this working I will document it and submit the document as there seems to be lots of bits of documentation but it's hard to work out all this). -- Rob Fowler ini file on the firewall: [Gatekeeper::Main] Fourtytwo=42 TimeToLive=300 name=GK1 [GkStatus::Auth] rule=allow [RoutedMode] GKRouted=1 H245Routed=1 AcceptUnregisteredCalls=1 SupportNATedEndpoints=1 H245PortRange=30000-30020 Q931PortRange=40000-40020 AcceptNeighborsCalls=1 [Proxy] Enable=1 RTPPortRange=50000-50020 T120PortRange=60000-60020 InternalNetwork=192.168.1.1/8 [GkStatus::Auth] rule=allow [Gatekeeper::Auth] default=allow [RasSrv::Neighbors] GK2=XXX.31.37.25;* and the following ini on the outside machine: [Gatekeeper::Main] Fourtytwo=42 TimeToLive=300 name=GK2 [RoutedMode] GKRouted=1 H245Routed=1 AcceptUnregisteredCalls=1 SupportNATedEndpoints=1 H245PortRange=30000-30020 Q931PortRange=40000-40020 AcceptNeighborsCalls=1 [Proxy] Enable=1 RTPPortRange=50000-50020 T120PortRange=60000-60020 [GkStatus::Auth] rule=allow [Gatekeeper::Auth] default=allow [RasSrv::Neighbors] GK1=XXX.51.20.226;* ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ List: Openh323gk-users@lists.sourceforge.net Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/ ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ List: Openh323gk-users@lists.sourceforge.net Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549 Homepage: http://www.gnugk.org/
