H323 NAT.

H323 NAT.

[Carles Xavier Munyoz Baldó]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
I'm having lot of problems with the ip_nat_h323 and ip_conntrack_h323 
netfilter modules.

I have applied the patch-o-matic to the 2.4.19 kernel source and compile it in 
my firewall.
I can load the modules with:
# modprobe ip_nat_h323

I have a h323 VoIP device behind my firewall and another one in the internet. 
When I call from the device behind the NAT-firewall, I can reach the device 
in the Internet. All VoIP data from the device behind the firewall arrives to 
the device in the internet, but all de VoIP data from the device in the 
internet is sent to the private addres of the device behind the firewall, and 
never arrives to it.

It seems that the ip_nat_h323 module is not making its work. It is not 
changing the source IP at the h323 aplication level.

I have seen the next logs in the /var/log/messages file:
Oct 15 17:47:47 fwtemplate kernel: ASSERT: ip_nat_core.c:838 
&ip_conntrack_lock not readlocked
Oct 15 17:47:47 fwtemplate kernel: ASSERT ip_conntrack_core.c:93 
&ip_conntrack_lock_R71150de5 readlocked

I'm using the last iptables version (1.2.7a).

May anyone help me with this ?
Any suggestions ?

Greetings.
- ---
Carles Xavier Munyoz Baldó
carles@descom.es
Descom Consulting
Telf: +34 965861024
Fax: +34 965861024
http://www.descom.es/
- ---
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPaw86jvYAf7VZNaaEQLZNACgn3lsxB5m17khtlSzfRd+OUpMy4gAn0E+
Or8bWYQESsQnb1QK8EFyaGB9
=yrw1
-----END PGP SIGNATURE-----

H323 NAT

[German Viera]

[-- Attachment #1: Type: text/plain, Size: 381 bytes --]

Hi everybody......

    I had been using iptables for almost a year ...I am administering a linux box that works as a router....I am maquins source routing and NAT ..but I am having problem with some H323 equipement to make nat with them.....

some one has any idea ???


PS: Please reply to this mail becuase I am not yet subscriber to the list.

Regards ,

Geman Viera

[-- Attachment #2: Type: text/html, Size: 1215 bytes --]

RE: H323 NAT

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 793 bytes --]

Wow.. our names are close in some way (gvieira)...
 
You need patch-o-matic H323 patch and use the 2 modules that it creates after recompiling the kernel.
There is alot on this in the archives.

Thanks,

 
 
 

-----Original Message-----
From: German Viera [mailto:gviera@directo.com.uy]
Sent: Thursday, 20 November 2003 11:49 PM
To: netfilter@lists.netfilter.org
Subject: H323 NAT


Hi everybody......
 
    I had been using iptables for almost a year ...I am administering a linux box that works as a router....I am maquins source routing and NAT ..but I am having problem with some H323 equipement to make nat with them.....
 
some one has any idea ???
 
 
PS: Please reply to this mail becuase I am not yet subscriber to the list.
 
Regards ,
 
Geman Viera


[-- Attachment #2: Type: text/html, Size: 2574 bytes --]

RE: H323 NAT

[Jerry Rasmussen]

Can you give us a better idea of what kinds of problem you are experiencing.  
 
And for one thing at the least you will have to have H.323 exposed as a public IP address or the person you are connecting to will need a public IP address.

________________________________

From: netfilter-admin@lists.netfilter.org on behalf of German Viera
Sent: Thu 11/20/2003 7:49 AM
To: netfilter@lists.netfilter.org
Subject: H323 NAT


Hi everybody......
 
    I had been using iptables for almost a year ...I am administering a linux box that works as a router....I am maquins source routing and NAT ..but I am having problem with some H323 equipement to make nat with them.....
 
some one has any idea ???
 
 
PS: Please reply to this mail becuase I am not yet subscriber to the list.
 
Regards ,
 
Geman Viera

h323 & nat

[pengjie]

[-- Attachment #1: Type: text/plain, Size: 1439 bytes --]

i had read many documents but i didn't find answer.

i have a network as following:

        A------------------B====================C
192.168.110.x  192.168.110.y  202.101.k.m     202.101.k.n

the B is a gateway doing NAT. it's eth0 is 192.168.110.y and eth1 is 202.101.k.m. there is RH9 running on it,it's kernel is 2.4.21. i have pathched the h323,and runned up the modules ip_conntrack_h323 and ip_nat_h323.

the A and the C are netmeeting clients.

i test it with 2 methods:

1)both A and C logon to a ILS.

RESULTS:
A calls C is ok, and they can chat to each other.

C calls A is failure, i see the address called is the private address of A. so setting up is failure.


QUESTION: doesn't the patch do something when client logon to a ILS?

2)call each other without the ILS.

i add a rule: iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dports 1503,1720 -j DNAT --to-destination 192.168.110.x

they call each other with IP address. A calls C with C's IP as the destination, and C calls A with gateway's valid IP as the destination.

RESULTS:
A calls C is ok, and they can chat to each other.
C calls A is ok, but they can't chat to each other.

QUESTION: is the rule right? h.323 streaming port is dynamic, does it result this symptom?
          even though i add the rule right,i think it's no use.it just enable one client to go through the gateway.is it?

any help is appreciated.

[-- Attachment #2: Type: text/html, Size: 3139 bytes --]