>> On Tue, Jun 22, 2010 at 5:21 PM, Jozsef Kadlecsik >> <kadlec@xxxxxxxxxxxxxxxxx> wrote: > You allow clients on the LAN to connect outside and enable bidirectional > connections. After that any side of the connection can issue correct H.323 > protocol commands and trigger expectations in any direction. Could you please explain in detail ? How tcp+syn packets comes from wan side and hit ip_conntrack_in () ? Thanks, Ratheesh On Tue, Jun 22, 2010 at 6:12 PM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Tue, 22 Jun 2010, ratheesh k wrote: > >> On Tue, Jun 22, 2010 at 5:21 PM, Jozsef Kadlecsik >> <kadlec@xxxxxxxxxxxxxxxxx> wrote: >> >> 1. ALG will allow wan to lan calls ? No need for specific iptables >> >> forwarding rule if alg is needed ? >> > >> > Yes. That's the point for a helper. >> >> I thought , ALG will install related connection tuple , if a >> connection is thru . >> what i meant is : suppose a ftp connection ( active ) is tried to >> make from lan-to-wan side ( it will go thru as per iptables ) . > > No, active/passive FTP connections are not "tried". The corresponding FTP > command is issued in the command channel and that is interpreted by the > FTP helper. Which then add a connection expectation to conntrack - and > which you allow through by the "-m state --state RELATED -j ACCEPT" rule. > The same happens with H.323. > >> Since here the pkt is from wan-to-lan and is blocked by >> iptables . How ALG got triggered without any pkt flow ? > > You allow clients on the LAN to connect outside and enable bidirectional > connections. After that any side of the connection can issue correct H.323 > protocol commands and trigger expectations in any direction. > > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
