On Tue, Jun 22, 2010 at 5:21 PM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: >> 1. ALG will allow wan to lan calls ? No need for specific iptables >> forwarding rule if alg is needed ? > > Yes. That's the point for a helper. I thought , ALG will install related connection tuple , if a connection is thru . what i meant is : suppose a ftp connection ( active ) is tried to make from lan-to-wan side ( it will go thru as per iptables ) . When this hit ip_conntrack_confirm at POSTROTUING chain will install the tuple for expected connection . Once pkt comes from wan side , it will be a related connection and accepted . Since here the pkt is from wan-to-lan and is blocked by iptables . How ALG got triggered without any pkt flow ? Thanks, Ratheesh On Tue, Jun 22, 2010 at 5:21 PM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Tue, 22 Jun 2010, ratheesh k wrote: > >> I have following RULES . >> >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables -A INPUT -i lan0 -j ACCEPT >> iptables -A INPUT -j DROP >> >> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables -A FORWARD -i lan0 -o wan0 -j ACCEPT >> iptabkes -A FORWARD -j DROP >> >> iptables -A OUTPUT -j ACCEPT >> >> But I am able to make H323 calls from lan to wan & wan to lan . >> >> 1. ALG will allow wan to lan calls ? No need for specific iptables >> forwarding rule if alg is needed ? > > Yes. That's the point for a helper. > >> 2. Is there any way in H323 to have calls without support of ALG ( >> like passive ftp ? ) > > No. > > But you can setup a H.323 gatekeeper in proxy mode and then configure > it to force the clients into given port ranges. > > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
