Re: [GnomeMeeting-list] Gnomemeeting and firewall rules?



I finally got my setup to work (Kernel 2.4.17 + newnat7 from CVS);
but you need to disable 'H.245 tunneling' for ip_nat_h323 to work.

(And hence also allow inbound UDP ports 1024-65535)

The H.245 packets are apparantly not being mangled if they are tunneled
within the TCP/1720 connection.

I can now send and receive audio and video over my firewall :)

On 5 Mar 2002, Jeffrey Bell wrote:

> Hi,
> 
> I am running a debian box, kernel 2.4.17 with gm-0.12.2, I sit behind a
> debian firewall also running 2.4.17 using iptables. I have used the
> "patch-o-matic" to apply the cvs version of the newnat-0.7 patch to the
> firewall box. I recompile, reboot and have edited the firewall ruleset
> so upon a initialization the firewall loads the ip_conntrack_h323 and
> ip_nat_h323 modules. 
> 
> lsmod shows:
> 
> ip_conntrack_h323 2144 1 (autoclean)
> ip_nat_h323 2496 0 (unused)
> ip_conntrack 15244  10 (autoclean) [ip_nat_irc ip_conntrack_irc
> ip_nat_ftp ip_conntrack_ftp ip_conntrack_h323 ip_nat_h323 ipt_MASQUERADE
> iptable_nat ipt_state]
> 
> is the above ip_nat_h323 (unused) correct?
> 
> <snip..snip> firewall script
> 
> /sbin/modprobe ip_tables
> /sbin/modprobe iptable_filter
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_nat_h323
> /sbin/modprobe ip_conntrack_h323
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
> /sbin/modprobe ip_nat_irc ports=$IRCPORTS
> 
> I have found these two rules from the net somewhere reguarding firewall
> and gm,
> 
> $IPTABLES -A INPUT -p tcp -i $EXTIF  --dport 1720 -j ACCEPT
> $IPTABLES -t nat -I PREROUTING -i $EXTIF  -j DNAT -p tcp --dport 1720
> --to 192.168.1.9:1720
> 
> now the 192.168.1.9:1720 is my internal IP from the workstation I
> running gm on. By the way, this machine is a dhcp client which I have
> recentley disabled because of this rule, anyway around this --to
> 192.168.1.9.:1720?
> 
> Now my understanding is that if I enable h.245 tunneling from within gm
> that I don't have to worry about opening a couple ports or so. I know
> nm/gm has a few different ports to open in order to work and that the
> modules are supposed to assist in this reguard.
> 
> I have seen and received video and have been told that I have sent audio
> to someone who is runnning netmeeting on a windows box. I have yet to
> receive any audio from anyone. I run gnome with esd sound, I have to
> disable (kill) esd in order to use gm, I understand that I should use
> ALSA sound daemon instead of esd.
> 
> My question, is my firewall rules, shown above, with the h.245 tunneling
> enabled in gm, set up correctly to enable audio/video both way?
> 
> What is everybody else doing with reguards to gm behind a firewall?
> 
> 

-- 
Ivo Clarysse               PGP key: DF533D7C           <soggie soti org>

H.R. Leuven 107057
BTW: BE 708.837.396
Rek: 735-0029047-32                         http://www.soti.org/~soggie/




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]