Re: [GnomeMeeting-list] Gnomemeeting and firewall rules?
- From: Ivo Clarysse <soggie soti org>
- To: gnomemeeting-list gnome org
- Subject: Re: [GnomeMeeting-list] Gnomemeeting and firewall rules?
- Date: Wed, 6 Mar 2002 00:10:20 +0100 (CET)
I finally got my setup to work (Kernel 2.4.17 + newnat7 from CVS);
but you need to disable 'H.245 tunneling' for ip_nat_h323 to work.
(And hence also allow inbound UDP ports 1024-65535)
The H.245 packets are apparantly not being mangled if they are tunneled
within the TCP/1720 connection.
I can now send and receive audio and video over my firewall :)
On 5 Mar 2002, Jeffrey Bell wrote:
> Hi,
>
> I am running a debian box, kernel 2.4.17 with gm-0.12.2, I sit behind a
> debian firewall also running 2.4.17 using iptables. I have used the
> "patch-o-matic" to apply the cvs version of the newnat-0.7 patch to the
> firewall box. I recompile, reboot and have edited the firewall ruleset
> so upon a initialization the firewall loads the ip_conntrack_h323 and
> ip_nat_h323 modules.
>
> lsmod shows:
>
> ip_conntrack_h323 2144 1 (autoclean)
> ip_nat_h323 2496 0 (unused)
> ip_conntrack 15244 10 (autoclean) [ip_nat_irc ip_conntrack_irc
> ip_nat_ftp ip_conntrack_ftp ip_conntrack_h323 ip_nat_h323 ipt_MASQUERADE
> iptable_nat ipt_state]
>
> is the above ip_nat_h323 (unused) correct?
>
> <snip..snip> firewall script
>
> /sbin/modprobe ip_tables
> /sbin/modprobe iptable_filter
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_nat_h323
> /sbin/modprobe ip_conntrack_h323
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
> /sbin/modprobe ip_nat_irc ports=$IRCPORTS
>
> I have found these two rules from the net somewhere reguarding firewall
> and gm,
>
> $IPTABLES -A INPUT -p tcp -i $EXTIF --dport 1720 -j ACCEPT
> $IPTABLES -t nat -I PREROUTING -i $EXTIF -j DNAT -p tcp --dport 1720
> --to 192.168.1.9:1720
>
> now the 192.168.1.9:1720 is my internal IP from the workstation I
> running gm on. By the way, this machine is a dhcp client which I have
> recentley disabled because of this rule, anyway around this --to
> 192.168.1.9.:1720?
>
> Now my understanding is that if I enable h.245 tunneling from within gm
> that I don't have to worry about opening a couple ports or so. I know
> nm/gm has a few different ports to open in order to work and that the
> modules are supposed to assist in this reguard.
>
> I have seen and received video and have been told that I have sent audio
> to someone who is runnning netmeeting on a windows box. I have yet to
> receive any audio from anyone. I run gnome with esd sound, I have to
> disable (kill) esd in order to use gm, I understand that I should use
> ALSA sound daemon instead of esd.
>
> My question, is my firewall rules, shown above, with the h.245 tunneling
> enabled in gm, set up correctly to enable audio/video both way?
>
> What is everybody else doing with reguards to gm behind a firewall?
>
>
--
Ivo Clarysse PGP key: DF533D7C <soggie soti org>
H.R. Leuven 107057
BTW: BE 708.837.396
Rek: 735-0029047-32 http://www.soti.org/~soggie/
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]