Hi,
I want to implement in our organisation a complete video conferencing
infrastructure but I am completely novice
in this matter. I read a lot of documentation these last days but there are
some points that stay not clear.
As you can see it above, we want to open domains DEV1 and DEV2 to the net
for h.323 traffic.
The current situation incorporates :
10.66.0.xxx
+---------------+
| SMC7008BR |
+---------------+
10.66.1.xxx
DEV2
| |
+---------+-+ +--+--------+
| slack 8.0 | | Slack 8.0 |
+-----------+ +-----------+
192.168.0.xxx +-----+ 10.66.0.xxx
| pp0 | +---------------+
+--+--+ | switch |
| +---------------+
| DMZ
+-------+ +-------------+
| NS2 | | NS1
|
10.66.0.xxx | HTTP2| | HTT1 |
+---------------+ +-------+ | FTP +--ISP
| SMC7008BR| | SMTP |
+---------------+ +-------------+
192.168.0.xxx 192.168.0.xxx
DEV1
| |
+-----------+-+ +-+---------+
| linux | .... | w2k |
+-------------+ +-----------+
GnomeMeeting NetMeeting
- a firewall iptables on NS1 and NS2
- communcication with the net is passing through our DMZ zone
- DMZ integrates 2 servers linux slackware 8.0 / kernel 2.4.18 /
patch-o-matic-20020825 / iptables 1.2.7a
- DMZ is configured with nat feature for traffic between DEV1/DEV2 and the
net
- DEV1/DEV2 includes some 15 users with webcams and/or H323 compliant
equipment.
So the problems I encounter are the following :
- As all I could see on the net, all config examples represent configuration
with one client using h.323 protocol
#! /bin/bash
EXTERNAL_IF=eth0
EXTERNAL_IP=mon.ip.pub.lic
PCA_HOST=mon.ip.pri.vee
$IPTABLES=/usr/local/sbin/iptables
/sbin/modprobe -a -k -s -v ip_nat_h323
logger -s "H323 Ports"
H323_PORTS="389 522 1503 1720 1731 8080"
for PORT in $H323_PORTS; do
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp -d $EXTERNAL_IP \
--dport $PORT -m state --state NEW,ESTABLISHED,RELATED \
-j DNAT --to-destination $PCA_HOST -v
done
logger -s "H323 Ports"
H323_PORTS="389 522 1503 1720 1731 8080"
for PORT in $H323_PORTS; do
$IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF -p udp -d $EXTERNAL_IP \
--dport $PORT -m state --state NEW,ESTABLISHED,RELATED \
-j DNAT --to-destination $PCA_HOST -v
... I found above iptables config example but problem for me is I have 15
users and not one
- I have installed iptables/NAT on my DMZ servers but I remarked some
clients as GnomeMeeting 0.94 are full NAT compliant
... so what does it mean, that my linux clients will have some troubles
because I use two products producing NAT
... capabilities ??? and what about Ms Netmeeting and ip_nat_h323 ???
- I patched my kernels 2.4.18 with patch-o-matic-20020825 to use ip_nat_h323
... ok but is this module a solution for me to redirect h.323 traffic
between
... internet --> 10.66.0.xxx --> 192.168.0.xxx
... internet --> 10.66.0.xxx --> 10.66.1.xxx
... 192.168.0.xxx --> 10.66.0.xxx --> internet
... 10.66.1.xxx --> 10.66.0.xxx --> internet
but the problem is I have concurrent connections .
- I read yesterday that it is possible to concentrate h.323 connections on a
gatekeeper as OpenH323 Gatekeeper
... do you think I have to use a gatekeeper with iptables ???
So maybe you can find my questions stupid or without any sense but I repeat
it I got no experience with this.
So, with information I received I imagine to impelement my h.323
infrastructure as mentionned below.
- configuring iptables on NS1 (10.66.0.1) with the script mentionned above
and replacing PCA_HOST with ip adress of NS2 (10.66.0.2)
- installing OpenH323 gatekeeper on NS2 (10.66.0.2)
- configuring all clients with gatekeeper NS2 (10.66.0.2).
So, thanks for any comment, remark, experience, suggestions and/or
corrections on what I mentionned above.
Thanks in advance.
Vincent
