| View previous topic :: View next topic |
| Author |
Message |
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
 Posted: Tue Dec 30, 2003 6:59 pm Post subject: IPTables NAT Vs. NetMeeting |
 |
|
Hi,
I have a gentoo box acting as a gateway with iptables.
I am also using the IPKungFu script to configure it.
But as far as I know NetMeeting wants a whole bunch of ports open and I honestly don't want to open all these.
I found a module that adds support for the h323 protocoll but it's for an old kernel version and I am using 2.6.
I also read that maybe using a gatekeeper (gnugk) could help me.
When I call people with net meeting they can hear and see me but I cannot hear or see them so I guess some UDP packets are blocked.
I am just a little confused and it would be really nice if someone could help me who has a similar configuration and actually got it ti work.
Thanks in advance. |
|
| Back to top |
|
 |
krusty_ar
Guru
Joined: 03 Oct 2002
Posts: 560
Location: Rosario, Argentina
|
| Posted: Wed Dec 31, 2003 12:54 am Post subject: |
|
|
Why don't you want to open the ports? if the app needs them to work, then you need to open them or the app won't work, simple 
What ports do you need to open? if you don't have any other services running in that ports there should be no problem opening them.
_________________
I am Beta, don't expect correct behaviour from me.
Take part of the adopt an unaswered post initiative |
|
| Back to top |
|
|
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
| Posted: Wed Dec 31, 2003 9:50 am Post subject: |
|
|
If it would just be some ports but the problem is that the h323 protocoll assigns these ports randomly between 1024 and 65535 I think.
This is on the Net Meeting Firewall help site:
* Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731.
* Pass through secondary TCP and UDP connections on dynamically assigned ports (1024-65535).
And opening everything can't be the only solution? |
|
| Back to top |
|
|
krusty_ar
Guru
Joined: 03 Oct 2002
Posts: 560
Location: Rosario, Argentina
|
| Posted: Wed Dec 31, 2003 11:35 am Post subject: |
|
|
I don't know what they mean by primary and secondary TCP connections, but it probably means that you only need to open the primary ports and enable related traffic on the rest (this is done usually as several protocols use a second port assigned dynamically)
_________________
I am Beta, don't expect correct behaviour from me.
Take part of the adopt an unaswered post initiative |
|
| Back to top |
|
|
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
| Posted: Thu Jan 01, 2004 8:45 am Post subject: |
|
|
Thanks for your answer but I opened the so called primary ports already without success.
Sorry for the late reply and happy new year |
|
| Back to top |
|
|
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
| Posted: Sat Jan 10, 2004 11:49 am Post subject: |
|
|
Ok, I figured it out now.
You have to install an aditional module by patching your kernel.
The easiest way to do this is the use patch-o-matic (pom) from netfilter.org.
Then you follow the instructions to patch your kernel and then recompile it as usual.
Don't forget to modprobe the new modules afterwards.
Right now it doesn't work with the 2.6 kernel yet but they said a patch will be released shortly.
Hope I could help someone who is trying the same
PS: If you just want to do outgoing calls you don't have to open any ports at all. |
|
| Back to top |
|
|
Chakal
n00b
Joined: 10 Jan 2004
Posts: 3
|
| Posted: Sat Jan 10, 2004 6:05 pm Post subject: |
|
|
u should try this line, it allows established connections to get through the firewall to your workstation without actually opening the ports
iptables -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT |
|
| Back to top |
|
|
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
| Posted: Sat Jan 10, 2004 6:45 pm Post subject: |
|
|
Thanks, this could be handy.
Though I think net meeting still wouldn't work then because it negotiates the ports with every call and they are always different.
The module for the h323 protocoll which net meeting uses is better I think.
It's just made for this purpose. |
|
| Back to top |
|
|
Chakal
n00b
Joined: 10 Jan 2004
Posts: 3
|
| Posted: Sat Jan 10, 2004 7:42 pm Post subject: |
|
|
| you should still try it, it allows any connection to go through the firewall to the workstation as long as its already established or requested by the workstation |
|
| Back to top |
|
|
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
| Posted: Sat Jan 10, 2004 8:14 pm Post subject: |
|
|
But does this work for UDP ports as well?
As far as I know these ports are negotiated within the h323 protocoll so how can an "outside" program know it is actually requested? |
|
| Back to top |
|
|
LGW
n00b
Joined: 02 Oct 2002
Posts: 60
|
| Posted: Fri Apr 23, 2004 11:24 pm Post subject: |
|
|
simple answer: don't use netmeeting, use openphone for windows and gnomemeeting for linux.
Both have *configureable* port ranges, so you only have to allow and forward *insertyourchoiceofudpportshere* ports instead of *ALL* of them.
Silly implementation. But what to expect, it's M$... 
openphone and gnomemeeting work together very well. The gnomemeeting homepage has some iptables script examples, too.
right now I'm trying to set up the gnugk, but without much luck  |
|
| Back to top |
|
|
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
| Posted: Sat Apr 24, 2004 7:45 am Post subject: |
|
|
I did not know about open phone, I will check it out. I would have loved to use gnomemeeting on both sides but my gf was not too keen on switching to linux only that this works.
So I setup a gatekeeper like you.
I have it running fine so if you need any help just let me know and I will try to be of assistance.
Also thanks for the tip about openphone, I will check it out for sure.
Thanks |
|
| Back to top |
|
|
trumee
Guru
Joined: 02 Mar 2003
Posts: 551
Location: London,UK
|
| Posted: Thu Jun 10, 2004 7:39 am Post subject: |
|
|
Can you please post on how you setup your gatekeeper. I am facing exactly the same problem, only that i am using shorewall to define my rules. and netmeeting simply refuses to work.
Thanks |
|
| Back to top |
|
|
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
| Posted: Thu Jun 10, 2004 1:14 pm Post subject: |
|
|
This is my config:
| Code: |
[Gatekeeper::Main]
Fourtytwo=42
[RoutedMode]
GKRouted=1
AcceptUnregisteredCalls=1
SupportNATedEndpoints=1
H245PortRange=30000-30010
Q931PortRange=30011-30020
[RasSvr::ARQFeatures]
CallUnregisteredEndpoints=1
[Proxy]
Enable=1
RTPPortRange=5000-5010
[GkStatus::Auth]
rule=allow
[Gatekeeper::Auth]
default=allow
|
But make sure that EVERYONE you want to call is registered to the gatekeeper.
You can enter this in the gatekeeper settigns in net meeting.
If the other person you want to call registers as user "Frank" then all you have to do is to enter Frank in your net meeting after you are both signed in.
Also make sure that you forward the ports defined in the gnugk config file.
Hope I could help |
|
| Back to top |
|
|
trumee
Guru
Joined: 02 Mar 2003
Posts: 551
Location: London,UK
|
| Posted: Thu Jun 10, 2004 4:16 pm Post subject: |
|
|
Thanks for your help, but i am a bit lost here. I have just one machine which has shorewall firewall running and on this machine itself i want to use gnomemeeting.
Do i still need to forward ports? Here are firewall rules:
| Code: |
/etc/shorewall/rules
Source Port
ACCEPT net fw tcp 1720
ACCEPT net fw tcp 1731
ACCEPT net fw tcp 30000:30010
ACCEPT net fw udp 5000:5007
ACCEPT net fw udp 5010:5013
|
Are the above rules allright? Do i need to change something in gnomemeeting too?
Thanks |
|
| Back to top |
|
|
Merlin-TC
l33t
Joined: 16 May 2003
Posts: 603
Location: Germany
|
| Posted: Fri Jun 11, 2004 9:38 am Post subject: |
|
|
I never used shorewall and so I don't know the difference for forwarding ports to another machine or opening them on the machine shorewall is running on.
Maybe you can check the manpages.
In Gnomemeeting you just have to enter the IP of the gatekeeper (I think you can enter 127.0.0.1 because the gatekeeper is running on the same machine. And also don't forget to set an alias.
That should be all. |
|
| Back to top |
|
|
Kaboosh
Apprentice
Joined: 10 Jun 2004
Posts: 162
Location: Edmonton, AB - Canada
|
| Posted: Sun Nov 07, 2004 2:49 pm Post subject: Security advice from Microsoft? |
|
|
| Merlin-TC wrote: | If it would just be some ports but the problem is that the h323 protocoll assigns these ports randomly between 1024 and 65535 I think.
This is on the Net Meeting Firewall help site:
* Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731.
* Pass through secondary TCP and UDP connections on dynamically assigned ports (1024-65535).
|
Well if it was up to MS and their excellent track record on security, I guess they'd ask us to toss out our firewalls, get WinXP or some other garbage "OS", and connect directly to the internet 
The gnomemeeting help files (Help -> Contents) state that the ports used can be viewed/modified using gconf-editor and looking in apps -> gnomemeeting -> protocols -> h323 -> ports. The default values are 1072 and 30000 to 30010 using TCP along with 5000 to 5007 and 5010 to 5013 using UDP. 
_________________
"The philosophy of one century is the common sense of the next." - Henry Ward Beecher |
|
| Back to top |
|
|
|
Networking & Security
