M$ Netmeeting through Linux NAT?
This is a discussion on M$ Netmeeting through Linux NAT? within the Linux Networking forums, part of the Linux Forums category; Hi, I'd like to use Microsoft's Netmeeting on a Windows box in my private LAN for communicating with ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-15-2004
|
|||
|
|||
M$ Netmeeting through Linux NAT?
Hi,
I'd like to use Microsoft's Netmeeting on a Windows box in my private LAN for communicating with Netmeeting users in the Internet through my Linux NAT box. I have patched kernel 2.4.20 for the H.323 modules using netfilter's patch-o-matic, finally rebooted, loaded the compiled modules (ip_conntrack_h323 and ip_nat_h323) and configured the DNAT and forwarding entries in the firewall. Now I can set up Netmeeting connections with hosts in the Internet, but only data applications go through (chat, application sharing), no voice, no video. Both hosts even don't send a single UDP packet for voice/video, thus I assume that something's wrong with the H.323 negotiation. (How can I check whether the h323 modules are really performing some action at all?) Voice/video works fine inside the private LAN. Any ideas? Thanks for your assistance, Steffen 
|
|
01-16-2004
|
|||
|
|||
|
Re: M$ Netmeeting through Linux NAT?
On Thu, 15 Jan 2004 22:11:21 +0100, Steffen Engmann <steffen@engmann.de>
wrote: >Hi, > >I'd like to use Microsoft's Netmeeting on a Windows box in my private >LAN for communicating with Netmeeting users in the Internet through my >Linux NAT box. > >I have patched kernel 2.4.20 for the H.323 modules using netfilter's >patch-o-matic, finally rebooted, loaded the compiled modules >(ip_conntrack_h323 and ip_nat_h323) and configured the DNAT and >forwarding entries in the firewall. > >Now I can set up Netmeeting connections with hosts in the Internet, but >only data applications go through (chat, application sharing), no voice, >no video. Both hosts even don't send a single UDP packet for >voice/video, thus I assume that something's wrong with the H.323 >negotiation. (How can I check whether the h323 modules are really >performing some action at all?) >Voice/video works fine inside the private LAN. > >Any ideas? > >Thanks for your assistance, > Steffen How about your firewall? You will need to open TCP ports 1503, 1718-1721 and 1731. Also all UDP ports above 1024. Using the modules, as the machine behind the firewall, you must be the one to initiate the connection. If you are feeling ambitious, you may want to use a gatekeeper instead. I am using this one. http://www.gnugk.org/h323download.html -- "Now are you talking about what it is you know Or just repeating what it was you heard." Grace Slick To E-mail use: rpiotro(at)wi(dot)rr(dot)com
|
|
01-19-2004
|
|||
|
|||
|
Re: M$ Netmeeting through Linux NAT?
Rich Piotrowski wrote:
> On Thu, 15 Jan 2004 22:11:21 +0100, Steffen Engmann <steffen@engmann.de> > wrote: > > >>Hi, >> >>I'd like to use Microsoft's Netmeeting on a Windows box in my private >>LAN for communicating with Netmeeting users in the Internet through my >>Linux NAT box. >> >>I have patched kernel 2.4.20 for the H.323 modules using netfilter's >>patch-o-matic, finally rebooted, loaded the compiled modules >>(ip_conntrack_h323 and ip_nat_h323) and configured the DNAT and >>forwarding entries in the firewall. >> >>Now I can set up Netmeeting connections with hosts in the Internet, but >>only data applications go through (chat, application sharing), no voice, >>no video. Both hosts even don't send a single UDP packet for >>voice/video, thus I assume that something's wrong with the H.323 >>negotiation. (How can I check whether the h323 modules are really >>performing some action at all?) >>Voice/video works fine inside the private LAN. >> >>Any ideas? >> >>Thanks for your assistance, >> Steffen > > > How about your firewall? You will need to open TCP ports 1503, 1718-1721 > and 1731. Also all UDP ports above 1024. Using the modules, as the > machine behind the firewall, you must be the one to initiate the > connection. > > If you are feeling ambitious, you may want to use a gatekeeper instead. > I am using this one. > > http://www.gnugk.org/h323download.html > Yes, it's working perfectly with gnugk! And even easier to install than the netfilter-mods ... Only drawback: All my friends have to register at my Gatekeeper first. Thanks, Steffen Here's my /etc/gnugk.ini # /etc/gnugk.ini [Gatekeeper::Main] Fourtytwo=42 [RoutedMode] GKRouted=1 H245Routed=1 AcceptUnregisteredCalls=1 SupportNATedEndpoints=1 H245PortRange=30000-30020 Q931PortRange=40000-40020 [RasSrv::ARQFeatures] CallUnregisteredEndpoints=1 [Proxy] Enable=1 RTPPortRange=50000-50020 InternalNetwork=192.168.1.0/24 ProxyForNAT=1 [GkStatus::Auth] rule=allow [Gatekeeper::Auth] default=allow # End of /etc/gnugk.ini And the iptable filter rules: $IPTABLES -A INPUT -i $EXT -p UDP -d $MY_IP_EXT --dport 1718:1719 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT -p TCP -d $MY_IP_EXT --dport 1721 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT -p TCP -d $MY_IP_EXT --dport 30000:30020 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT -p TCP -d $MY_IP_EXT --dport 40000:40020 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -i $EXT -p UDP -d $MY_IP_EXT --dport 50000:50020 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
|
01-20-2004
|
|||
|
|||
|
Re: M$ Netmeeting through Linux NAT?
On Mon, 19 Jan 2004 20:11:27 +0100, Steffen Engmann
<steffen@engmann.de> wrote: <snip> >Yes, it's working perfectly with gnugk! And even easier to install than >the netfilter-mods ... >Only drawback: All my friends have to register at my Gatekeeper first. Yes. Not that big of a deal though. >Thanks, > Steffen > >Here's my /etc/gnugk.ini <snip> Here's mine. ## /etc/gnugk.ini # [Gatekeeper::Main] Fourtytwo=42 TimeToLive=600 Name=GK1 [RoutedMode] GKRouted=1 H245Routed=1 CallSignalPort=1721 CallSignalHandlerNumber=2 AcceptNeighborsCalls=1 AcceptUnregisteredCalls=0 RemoveH245AddressOnTunneling=1 DropCallsByReleaseComplete=1 SendReleaseCompleteOnDRQ=1 SupportNATedEndpoints=1 Q931PortRange=20000-20020 H245PortRange=30000-30020 [RasSrv::Neighbors] GK2=131.210.92.179:1719;*;gk2password [RasSrv::LRQFeatures] NeighborTimeout=2 [Gatekeeper::Auth] NeighborPasswordAuth=required [Endpoint] Password=gk1password [Proxy] Enable=1 InternalNetwork=192.168.100.0/24 T120PortRange=40000-40020 RTPPortRange=50000-50020 [GkStatus::Auth] rule=allow ####### END As you can see, I have a "neighbor". That is so I can connect to my son through *his* Linux firewall. > >And the iptable filter rules: >$IPTABLES -A INPUT -i $EXT -p UDP -d $MY_IP_EXT --dport 1718:1719 \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT >$IPTABLES -A INPUT -i $EXT -p TCP -d $MY_IP_EXT --dport 1721 \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT >$IPTABLES -A INPUT -i $EXT -p TCP -d $MY_IP_EXT --dport 30000:30020 \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT No port 1503? I forget what that was even for! >$IPTABLES -A INPUT -i $EXT -p TCP -d $MY_IP_EXT --dport 40000:40020 \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT >$IPTABLES -A INPUT -i $EXT -p UDP -d $MY_IP_EXT --dport 50000:50020 \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > I found I did not need those. I'm glad it worked out so well for you. -- "Now are you talking about what it is you know Or just repeating what it was you heard". Grace Slick To email use rpiotro(at)wi(dot)rr(dot)com
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 04:31 PM.
