Earl Simply port forwarding TCP 1720 is not a complete solution and it also requires user to set. The purpose of H.460.18/19/23/24/24a is to provide a complete no user setup solution to traverse NAT. In fact if you are using H.460.18/.19 then the port forwarding is simply ignored. When calling an endpoint that is behind a NAT that supports H.40.18/.19, the gatekeeper will send an RAS message and the endpoint will call out a TCP connection through the NAT to receive the SETUP message. The solution is to use an H.323 ALG in the router. This has it's own pitfalls. Most of them don't work (not just H.323 but SIP too) in all cases. I bought a NetGear router for testing and it had an H.323 ALG which worked fine as long as you did not change your TCP listening port from 1720 then it just didn't work. The worst part was you couldn't turn the damn thing off. H.460.23 has the ability to detect ALG's and work with them but if you have a problematic ALG then this will not help. The best solution I found was to change the GnuGk RAS port from 1719 to something like 21719 and bypass the ALG and everything seems to work fine. Simon -----Original Message----- From: Earl [mailto:Large.Files@xxxxxxx] Sent: Tuesday, 11 August 2009 4:04 AM To: GNU Gatekeeper Users Subject: Re: H.460.18/.19/.23/.24/.24A support nowinGnuGk / H323plus Hi, another reply to my own msg. I have found out that Jing Min Zhao and Patrick McHardy worked on development of NAT helper modules up to about 2006 and kernel 2.6.16 when the modules were brought into the Linux kernel. It is only necessary to load the modules modprobe nf_conntrack_h323 and modprobe nf_nat_h323 to have a NAT router that is h.323 aware. Some lines also have to be added to the IPtables rules. Does anyone *not* like the following lines in IPtables? iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 1720 -j ACCEPT and iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1720 -j DNAT to 192.168.1.4 iptables -A FORWARD -d 192.168.1.4 -p tcp --dport 1720 -j ACCEPT where 192.168.1.4 must be changed appropriately. There is also a possibility that certain SOHO routers running under OpenWRT or DD-WRT can become h.323-aware routers. I have started (as a Linux newbie) to write a how-to. Any suggestions, comments, and help appreciated. Earl Earl wrote: > Reply to my own msg, with more info > > There are H.323 NAT Helper Modules for Linux Kernels at > > http://sourceforge.net/projects/nath323/files/ > but the latest is from 2006 for kernel 2.6.18, which is a very old kernel. > It does > Enable Linux firewall to support connection tracking and NAT of H.323 > protocol. It supports RAS, Fast Start, H.245 Tunnelling, Call Forwarding, > Signal Proxy/Softswitch, RTP/RTCP and T.120 based audio, video, fax, > chat, whiteboard, file transfer, etc. > > My suspicion is that the h.323 NAT helper modules are now incorporated > into the kernel itself. If so, how to use IPtables in a modern kernel > to make > the FW natively h.323-aware with connection tracking and only opening > ports as needed by listening to the handshaking ? > > Earl > > Earl wrote: > >> Hi Simon, hi Jan, >> >> I have the following needs: >> >> * run GnuGK on a Linux box behind a NAT router >> - if necessary in a DMZ and with port forwarding >> I have read that GnuGK *must* be connected directly to the Internet and >> can not >> provide NAT traversal if GnuGK is behind a NAT router. My understanding is >> that there are no exceptions to this rule, not even DMZ and port >> forwarding can help. >> >> * all participants will be using a computer behind a NAT router. >> Some of the NATs will be symmetrical. >> >> * secure voice and secure file transfer are needed. >> >> Questions: >> >> - Is it possible to use PacPhone in the above situation? >> >> - In what time frame might PacPhone be compatible with the newest ITU >> standards? >> >> - Do H.460.18/.19/.23/.24/.24A still have the requirement that GnuGK >> absolutely >> and with no exceptions be connected directly to the Internet ? >> >> - I have read that in the past it was possible to use a Linux box as >> router and FW >> by compiling especially written modules into the kernel. These modules made >> IPtables natively aware of h.323. I have also read that the latest >> Linux kernels since >> 2.26.13 ???? are h.323 aware, but can find no further information about >> this. >> >> It seems to me that if one could tell the present SOHO NAT router not to >> NAT and >> follow this with a Linux box doing NAT with native h.323-aware >> traversal, then this >> could be a good solution working with any hard- or softphone. Since I >> am not a >> programmer, I am a bit lost here. >> >> Regards, Earl ---------------------------------------------------------------------------- -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
