Re: [GnomeMeeting-list] video conferencing config ???
- From: "vincent blondel" <vincent blondel chello be>
- To: <gnomemeeting-list gnome org>
- Subject: Re: [GnomeMeeting-list] video conferencing config ???
- Date: Wed, 13 Nov 2002 23:18:50 +0100
Ok I am completely right with what you say but let's take a look to your
example
IPTABLES=/usr/local/sbin/iptables
OUT_DEV=ppp0
IN_HOST=192.168.1.12
TCP_PORT_RANGE=30000:30010
UDP_PORT_RANGE=5000:5003
TCP_LISTENING_PORT=1720
$IPTABLES -t nat -A POSTROUTING -o $OUT_DEV -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport $TCP_PORT_RANGE -j
DNAT --to-dest $IN_HOST
$IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p udp --dport $UDP_PORT_RANGE -j
DNAT --to-dest $IN_HOST
$IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_PORT_RANGE -d
$IN_HOST -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $OUT_DEV --dport $UDP_PORT_RANGE -d
$IN_HOST -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $OUT_DEV -p tcp --dport
$TCP_LISTENING_PORT -j DNAT --to-dest $IN_HOST
$IPTABLES -A FORWARD -p tcp -i $OUT_DEV --dport $TCP_LISTENING_PORT -d
$IN_HOST -j ACCEPT
- you specify 1 ip adresse ( I have 15 users using webcams and / or audio )
- for port 1720, you make dnat AND forward .... for what reason. Let's
imagine I have three users using gnomeeting at the same time.
To which host do I have to redirect packets ???
- same thing with ports 30000:30010. Even if I use different port on each
workstation how, can I say in my iptables config, to redirect which port
to which host ???
and the same thing to the rest ???
So I am sorry but I don't imagine how I can use your script in ma situation
???
Thanks to give me more explanations ...
Vincent
----- Original Message -----
From: "Damien Sandras" <dsandras seconix com>
To: <gnomemeeting-list gnome org>
Sent: Wednesday, November 13, 2002 10:27 PM
Subject: Re: [GnomeMeeting-list] video conferencing config ???
Pay attention that the H323 NAT module is broken with GnomeMeeting and
with Netmeeting too.
I suggest you to read this part of the FAQ:
http://www.gnomemeeting.org/index.php?rub=3&pos=0#AEN192
given the fact that GnomeMeeting can run behind firewalls/nat gateways
with simple port forwarding, I don't think you need DMZ's. For
Netmeeting, you will have to use a gatekeeper (there is an error in the
FAQ, external users can call you even without registering to your GK if
you configure it that way).
Le mer 13/11/2002 à 21:48, vincent blondel a écrit :
> Hi all,
>
> I just subscribed on this mailing-list because I got some questions to
implement a video conferencing infrastructure.
> I give you below a graphical representation of our network. We want to
authorize h.323 traffic from and to domains dev1 and dev2.
>
> I searched on the net for examples of such a configuration but I didn't
find it. I found well some explanations on some subjects as GnomeMeeting,
firewall, nat h.323 but not all this together.
>
> I will first begin by giving you an explanation on our situation.
> - The communication between the lan domains and the internet pass through
one DMZ zone
> - DMZ is made by two servers running slackware 8.0
> - DMZ1 is configured with kernel 2.4.18 patched with patch-o-matic20020825
and iptables is upgraded to 1.2.7a so I
> got modules to make h.323 nat
> - dev1 and dev2 communicates with dmz through hardware switch/nat/firewall
SMC7008BR ( I don't think they have nat h323
> incorporated )
> - we have several clients with linux and/or windows stations running
Gnomemeeting and/or Netmeeting
> ... and finally we want to open webcams from DEV1 and DEV2 to the net.
>
> 10.66.0.xxx
> +---------------+
> | SMC7008BR |
> +---------------+
> 10.66.1.xxx
> DEV2
> | |
> +---------+-+ +--+--------+
> | slack 8.0 | | Slack 8.0 |
> +-----------+ +-----------+
> 192.168.0.xxx +-----+ 10.66.0.xxx
> | pp0 | +---------------+
> +--+--+ | switch |
> | +---------------+
> DMZ
> +-------+ +-------------+
> | DMZ2 | | DMZ1 |
> | | | |
> | NS2 | | NS1 |
> 10.66.0.xxx | HTTP2| | HTTP1 |
> +---------------+ +-------+ | FTP +--ISP
> | SMC7008BR | | SMTP |
> +---------------+ +-------------+
> 192.168.0.xxx 192.168.0.xxx
> DEV1
> | |
> +-----------+-+ +-+---------+
> | linux | .... | w2k |
> +-------------+ +-----------+
> GnomeMeeting NetMeeting
>
>
>
> So my problems are the followings :
>
> - I found on the net this configuration for module ip_nat_h323
> #! /bin/bash
> EXTERNAL_IF=eth0
> EXTERNAL_IP=mon.ip.pub.lic
> PCA_HOST=mon.ip.pri.vee
>
> $IPTABLES=/usr/local/sbin/iptables
>
> /sbin/modprobe -a -k -s -v ip_nat_h323
>
> logger -s "H323 Ports"
> H323_PORTS="389 522 1503 1720 1731 8080"
> for PORT in $H323_PORTS; do
> $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF -p tcp -d $EXTERNAL_IP \
> --dport $PORT -m state --state NEW,ESTABLISHED,RELATED \
> -j DNAT --to-destination $PCA_HOST -v
> done
>
> logger -s "H323 Ports"
> H323_PORTS="389 522 1503 1720 1731 8080"
> for PORT in $H323_PORTS; do
> $IPTABLES -t nat -A PREROUTING -i $EXTERNAL_IF -p udp -d $EXTERNAL_IP \
> --dport $PORT -m state --state NEW,ESTABLISHED,RELATED \
> -j DNAT --to-destination $PCA_HOST -v
> done It is a very good example but this configuration concerns config
with one client running Gnomemeeting and/or Netmeeting- so maybe solution
for above problem is maybe to configure on DMZ1 or DMZ2 a h323 Gatekeeper
??? but in this case, do I have to replace in the above script $PCA_HOST
by DMZ1 ip address so 10.66.0.1- and finally, if I have to configure a h323
GateKeeper, what do you think about these ones :
> http://www.gnugk.org/h323develop.html or this one
http://www.gnugk.org/
>
> If one of you is using such a config, help, suggestions and remarks will
be appreciated.
>
> Thanks in advance
> Vincent
--
_
(o- SANDRAS Damien
//\
v_/_ Check Out Gnome Meeting !
http://www.gnomemeeting.org/
_______________________________________________
GnomeMeeting-list mailing list
GnomeMeeting-list gnome org
http://mail.gnome.org/mailman/listinfo/gnomemeeting-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
