Re: h323 & nat,again

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On May 17, 2004 10:36 pm, pengjie wrote:
> sorry for the html format,now i post it again.
>
> i had read many documents but i didn't find answer.
>
> i have a network as following:
>
>         A------------------B====================C
> 192.168.110.x  192.168.110.y  202.101.k.m     202.101.k.n
>
> the B is a gateway doing NAT. it's eth0 is 192.168.110.y and eth1 is
> 202.101.k.m. there is RH9 running on it,it's kernel is 2.4.21. i have
> pathched the h323,and runned up the modules ip_conntrack_h323 and
> ip_nat_h323.
>
> the A and the C are netmeeting clients.
>
> i test it with 2 methods:
>
> 1)both A and C logon to a ILS.
>
> RESULTS:
> A calls C is ok, and they can chat to each other.
>
> C calls A is failure, i see the address called is the private address of A.
> so setting up is failure.
>
>
> QUESTION: doesn't the patch do something when client logon to a ILS?
>
> 2)call each other without the ILS.
>
> i add a rule: iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport
> --dports 1503,1720 -j DNAT --to-destination 192.168.110.x
>
> they call each other with IP address. A calls C with C's IP as the
> destination, and C calls A with gateway's valid IP as the destination.
>
> RESULTS:
> A calls C is ok, and they can chat to each other.
> C calls A is ok, but they can't chat to each other.
>
> QUESTION: is the rule right? h.323 streaming port is dynamic, does it
> result this symptom? even though i add the rule right,i think it's no
> use.it just enable one client to go through the gateway.is it?
>
> any help is appreciated.

	PREROUTING DNAT to client is only good for one session at a time.
	Please note that MS Netmeeting uses other ports as well .. .
	I've noted that the rules for Gnomemeeting work just fine for a couple of 
	'local lan' firewalls that use MS netmeeting, where I've assisted in getting
	it working.  Keep in mind that it also uses (UPNP) -- which will cause you 
	no end of grief.  -- there is an open source upnp gateway out there that 
	I've heard of but never worked with, it has been mentioned here, but most 
	consider it a *GREAT GAPING* security hole in a firewall.

	Consider that one of the points you raised is that the ILS connection reports 
	the INSIDE ip address of the client to the connecting partner.  Perhaps you 
	should arrange some method to have the *client* report its outside ip address
	to hte ILS rather than its inside ip.  (Gnomemeeting allows for this).  The 
	ONLY instance where I've managed to get several internal clients to be
	accessible from outside has been using Gnomemeeting, hacking the gconf files
	for each client to have them *listening* on different ports, and forwarding 
	each port from the firewall.  I believe there are registry hacks to do the 
	same in MS netmeeting, but have not researched it.  

	For what it's worth I rarely use MS anymore for my personal system, but do 
	have win boxen inside my firewall (other half, kids, game box, and in order
	to support several dozen personal systems clients).  I use gnomemeeting 
	through my firewall -- I've added the rules on the gnomemeeting site to my 
	firewall for the appropriate boxes.  -- it 'just works' through 2.6.x and 
	with the gnomemeeting rules for each of three boxes.  I've yet to have 
	more than one connection active at a time.

	As an aside ... Is *anyone* working on porting the h323 (conntrack/nat) 
	patches to 2.6.x? -- or is this something I might like to attempt sometime 
	in the near future??


	Alistair Tonner 

	


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux