Simon, thanks for your response. My problem is that I have been fighting SIP against NAT since many years and I am getting tired of banging my head against the wall. I would prefer not to do this with h.323, if possible. My information is that there are no SIP ALGs that work correctly and it is necessary to disable them. I have just received information from Brainslayer, who writes the DD-WRT router software for various routers, including the famous WRT54 Linksys. He said that DD-WRT software loads the h.323 kernel modules automatically and therefore a router that has been flashed with DD-WRT is natively h.323 aware and does connection tracking. This connection tracking spies on h.323 negotiations and for *each* port that is negotiated, it immediately in real-time adds port-forwarding and opens that port in the firewall. Other ports remain closed - it is not necessary to open a barn door of ports. I have read that the IPtables line about port 1720 is necessary; other port- forwarding and FW pin-holes are done on-the-fly automatically, as necessary. The big, mega question is whether the use of such a h.323 connection tracker is the silver bullet allowing GnuGK to be connected behind such a NAT router - - or whether GnuGK must still be connected directly to the Internet with no exceptions whatsoever ??? In my tests until now, I was using a DD-WRT flashed Linksys router on one end, but a difficult and secure symmetrical NAT router on the other. The GnuGK was behind the Linksys NAT router in a DMZ, with port-forwarding. However, the docs for GnuGK say it *MUST* be connected directly and may *not* be behind any NAT or any router. Another question is *if* GnuGK can *not* function correctly behind a h.323- aware NAT router, is the best solution for all participants to use Pacphone behind a h.323-aware NAT router and call directly using fixed-IP or dynDNS host name ??? Does Pacphone have any problem using a dynDNS host name as address ? Is GnuGK necessary to indicate presence - or can Pacphones in P2P mode do this among themselves, say with 5 or 10 participants ? I have several Linksys WRT54 routers and like the DD-WRT software since it has OpenSSH and OpenVPN, PPTP server and client, SIP server, and h.323 connection tracking, and much more. Almost everything can be configured via Web interface and its power consumption is very low. Until now, I did not know that it enabled h.323 connection tracking on boot-up. It looks like time to replace the symmetrical NAT router by a DD-WRT router. Thanks in advance for your help and comments/suggestions. Earl Simon Horne wrote: > Earl > > Simply port forwarding TCP 1720 is not a complete solution and it also > requires user to set. The purpose of H.460.18/19/23/24/24a is to provide a > complete no user setup solution to traverse NAT. In fact if you are using > H.460.18/.19 then the port forwarding is simply ignored. When calling an > endpoint that is behind a NAT that supports H.40.18/.19, the gatekeeper will > send an RAS message and the endpoint will call out a TCP connection through > the NAT to receive the SETUP message. > > The solution is to use an H.323 ALG in the router. This has it's own > pitfalls. Most of them don't work (not just H.323 but SIP too) in all cases. > I bought a NetGear router for testing and it had an H.323 ALG which worked > fine as long as you did not change your TCP listening port from 1720 then it > just didn't work. The worst part was you couldn't turn the damn thing off. > H.460.23 has the ability to detect ALG's and work with them but if you have > a problematic ALG then this will not help. The best solution I found was to > change the GnuGk RAS port from 1719 to something like 21719 and bypass the > ALG and everything seems to work fine. > > > Simon > > -----Original Message----- > From: Earl [mailto:Large.Files@xxxxxxx] > Sent: Tuesday, 11 August 2009 4:04 AM > To: GNU Gatekeeper Users > Subject: Re: H.460.18/.19/.23/.24/.24A support nowinGnuGk > / H323plus > > Hi, > another reply to my own msg. > I have found out that Jing Min Zhao and Patrick McHardy worked on > development of NAT helper modules up to about 2006 and kernel > 2.6.16 when the modules were brought into the Linux kernel. > > It is only necessary to load the modules > modprobe nf_conntrack_h323 > and > modprobe nf_nat_h323 > to have a NAT router that is h.323 aware. > > Some lines also have to be added to the IPtables rules. > Does anyone *not* like the following lines in IPtables? > > iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A INPUT -p tcp --dport 1720 -j ACCEPT > and > iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1720 -j DNAT to > 192.168.1.4 > iptables -A FORWARD -d 192.168.1.4 -p tcp --dport 1720 -j ACCEPT > where 192.168.1.4 must be changed appropriately. > > There is also a possibility that certain SOHO routers running under > OpenWRT or DD-WRT can become h.323-aware routers. > > I have started (as a Linux newbie) to write a how-to. > Any suggestions, comments, and help appreciated. > > Earl > > Earl wrote: > >> Reply to my own msg, with more info >> >> There are H.323 NAT Helper Modules for Linux Kernels at >> >> http://sourceforge.net/projects/nath323/files/ >> but the latest is from 2006 for kernel 2.6.18, which is a very old kernel. >> It does >> Enable Linux firewall to support connection tracking and NAT of H.323 >> protocol. It supports RAS, Fast Start, H.245 Tunnelling, Call Forwarding, >> Signal Proxy/Softswitch, RTP/RTCP and T.120 based audio, video, fax, >> chat, whiteboard, file transfer, etc. >> >> My suspicion is that the h.323 NAT helper modules are now incorporated >> into the kernel itself. If so, how to use IPtables in a modern kernel >> to make >> the FW natively h.323-aware with connection tracking and only opening >> ports as needed by listening to the handshaking ? >> >> Earl >> >> Earl wrote: >> >> >>> Hi Simon, hi Jan, >>> >>> I have the following needs: >>> >>> * run GnuGK on a Linux box behind a NAT router >>> - if necessary in a DMZ and with port forwarding >>> I have read that GnuGK *must* be connected directly to the Internet and >>> can not >>> provide NAT traversal if GnuGK is behind a NAT router. My understanding >>> > is > >>> that there are no exceptions to this rule, not even DMZ and port >>> forwarding can help. >>> >>> * all participants will be using a computer behind a NAT router. >>> Some of the NATs will be symmetrical. >>> >>> * secure voice and secure file transfer are needed. >>> >>> Questions: >>> >>> - Is it possible to use PacPhone in the above situation? >>> >>> - In what time frame might PacPhone be compatible with the newest ITU >>> standards? >>> >>> - Do H.460.18/.19/.23/.24/.24A still have the requirement that GnuGK >>> absolutely >>> and with no exceptions be connected directly to the Internet ? >>> >>> - I have read that in the past it was possible to use a Linux box as >>> router and FW >>> by compiling especially written modules into the kernel. These modules >>> > made > >>> IPtables natively aware of h.323. I have also read that the latest >>> Linux kernels since >>> 2.26.13 ???? are h.323 aware, but can find no further information about >>> this. >>> >>> It seems to me that if one could tell the present SOHO NAT router not to >>> NAT and >>> follow this with a Linux box doing NAT with native h.323-aware >>> traversal, then this >>> could be a good solution working with any hard- or softphone. Since I >>> am not a >>> programmer, I am a bit lost here. >>> >>> Regards, Earl ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________________ Posting: mailto:Openh323gk-users@xxxxxxxxxxxxxxxxxxxxx Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=openh323gk-users Unsubscribe: http://lists.sourceforge.net/lists/listinfo/openh323gk-users Homepage: http://www.gnugk.org/
