Re: Iptables and Kernel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Is iptables still needed for kernel 2.6.x? I see a lot of iptables
patches go into the kernel, but not much updates on the
www.netfilter.org. The logo on netfilter says firewalling, NAT and
packet mangling for Linux 2.4. So I guess much of the code goes directly
into the kernel? Also does kernel 2.6.3 support Netmeeting and MSN
Instant Messengener, or I need the following plug-in,
http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/?

1) iptables is the userspace component. Yes it is still needed in 2.6.x -- you still have to use it to setup and manage individual rules.

2) 2.6.x indeed supports many components of netfilter out of the box,
however there is still patch-o-matic-ng which can still add functionality
not yet in the kernel or in userspace.

3) No, you do not need patches from newnat-suite by default, you need
ip_conntrack_h323 and ip_nat_h323, although you might need newnat if your
iptables is really old.

I'm using iptables-1.2.9-5mdk.i586.rpm on LM10.0. The latest on www.netfilter.org is 1.2.9. I guess those 2 modules is included in 1.2.9?

Keep in mind that *support* of netmeeting in this case is a loose
terminology -- I believe that several functionalities are not covered by
the h323 patches.

All I wanted is the ability to see video & audio for both incoming and outgoing calls. Is that supported in iptables-1.2.9? Do I need to apply pom-ng on top of iptables?

Looking at my kernel tarball, the bare 2.6.3 kernel does NOT include the h323 modules. I would say you need patches in p-o-m -- I'm not sure if mandrake has a package for p-o-m or not, but yes you need to add h323 modules.

I just downloaded 2.6.5, may I ask where should I check to see if h323 modules are included? On www.netfilter.org, I see pom-20031219 and pomng-20040302. Is it safe to assume, that pomng includes pom?


IIRC, netmeeting should provide video/audio with conntrack and nat of h323 and relevant
ESTABLISHED,RELATED rules. -- be aware that you may not be able to recieve
calls inside the firewall unless you forward the inbound connection requests -- the gnomemeeting website has some good rules on their faq pages that can help
with netmeeting requests as well. Check out openh323.org for gatekeeper applications
that can act as proxy for connection requests, thus mitigating functionality problems. MS netmeeting also uses UPNP -- this protocol has been discussed on this list previously,
and you might want to read up on that as well.

Thank you so much. I will read up on them.


Regards,
Norman


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux