Iptables and Kernel

Iptables and Kernel

[Norman Zhang]

Hi,

Is iptables still needed for kernel 2.6.x? I see a lot of iptables 
patches go into the kernel, but not much updates on the 
www.netfilter.org. The logo on netfilter says firewalling, NAT and 
packet mangling for Linux 2.4. So I guess much of the code goes directly 
into the kernel? Also does kernel 2.6.3 support Netmeeting and MSN 
Instant Messengener, or I need the following plug-in, 
http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/?

Regards,
Norman

Re: Iptables and Kernel

[Unknown, Alistair Tonner]

On April 12, 2004 01:22 am, Norman Zhang wrote:
> Hi,
>
> Is iptables still needed for kernel 2.6.x? I see a lot of iptables
> patches go into the kernel, but not much updates on the
> www.netfilter.org. The logo on netfilter says firewalling, NAT and
> packet mangling for Linux 2.4. So I guess much of the code goes directly
> into the kernel? Also does kernel 2.6.3 support Netmeeting and MSN
> Instant Messengener, or I need the following plug-in,
> http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/?

	1) iptables is the userspace component.  Yes it is still needed in 2.6.x -- you still have to use
	it to setup and manage individual rules.

	2) 2.6.x indeed supports many components of netfilter out of the box, however there is still 
	patch-o-matic-ng which can still add functionality not yet in the kernel or in userspace.

	3) No, you do not need patches from newnat-suite by default, you need 
	ip_conntrack_h323 and ip_nat_h323, although you might need newnat if your iptables is really old.

	Keep in mind that *support* of netmeeting in this case is a loose terminology -- I believe that 
	several functionalities are not covered by the h323 patches.


>
> Regards,
> Norman

Re: Iptables and Kernel

[Norman Zhang]

>>Is iptables still needed for kernel 2.6.x? I see a lot of iptables
>>patches go into the kernel, but not much updates on the
>>www.netfilter.org. The logo on netfilter says firewalling, NAT and
>>packet mangling for Linux 2.4. So I guess much of the code goes directly
>>into the kernel? Also does kernel 2.6.3 support Netmeeting and MSN
>>Instant Messengener, or I need the following plug-in,
>>http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/?
> 
> 1) iptables is the userspace component.  Yes it is still needed in 2.6.x -- you still have to use
> it to setup and manage individual rules.
> 
> 2) 2.6.x indeed supports many components of netfilter out of the box, however there is still 
> patch-o-matic-ng which can still add functionality not yet in the kernel or in userspace.
> 
> 3) No, you do not need patches from newnat-suite by default, you need 
> ip_conntrack_h323 and ip_nat_h323, although you might need newnat if your iptables is really old.

I'm using iptables-1.2.9-5mdk.i586.rpm on LM10.0. The latest on 
www.netfilter.org is 1.2.9. I guess those 2 modules is included in 1.2.9?

> Keep in mind that *support* of netmeeting in this case is a loose terminology -- I believe that 
> several functionalities are not covered by the h323 patches.

All I wanted is the ability to see video & audio for both incoming and 
outgoing calls. Is that supported in iptables-1.2.9? Do I need to apply 
pom-ng on top of iptables?

Regards,
Norman

Re: Iptables and Kernel

[Unknown, Alistair Tonner]

On April 12, 2004 02:27 am, Norman Zhang wrote:
> >>Is iptables still needed for kernel 2.6.x? I see a lot of iptables
> >>patches go into the kernel, but not much updates on the
> >>www.netfilter.org. The logo on netfilter says firewalling, NAT and
> >>packet mangling for Linux 2.4. So I guess much of the code goes directly
> >>into the kernel? Also does kernel 2.6.3 support Netmeeting and MSN
> >>Instant Messengener, or I need the following plug-in,
> >>http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/?
> >
> > 1) iptables is the userspace component.  Yes it is still needed in 2.6.x
> > -- you still have to use it to setup and manage individual rules.
> >
> > 2) 2.6.x indeed supports many components of netfilter out of the box,
> > however there is still patch-o-matic-ng which can still add functionality
> > not yet in the kernel or in userspace.
> >
> > 3) No, you do not need patches from newnat-suite by default, you need
> > ip_conntrack_h323 and ip_nat_h323, although you might need newnat if your
> > iptables is really old.
>
> I'm using iptables-1.2.9-5mdk.i586.rpm on LM10.0. The latest on
> www.netfilter.org is 1.2.9. I guess those 2 modules is included in 1.2.9?
>
> > Keep in mind that *support* of netmeeting in this case is a loose
> > terminology -- I believe that several functionalities are not covered by
> > the h323 patches.
>
> All I wanted is the ability to see video & audio for both incoming and
> outgoing calls. Is that supported in iptables-1.2.9? Do I need to apply
> pom-ng on top of iptables?

	Looking at my kernel tarball, the bare 2.6.3 kernel does NOT include the h323 modules.
	I would say you need patches in p-o-m -- I'm not sure if mandrake has a package for
	p-o-m or not, but yes you need to add h323 modules.

	IIRC, netmeeting should provide video/audio with conntrack and nat of h323 and relevant
	ESTABLISHED,RELATED rules.  -- be aware that you may not be able to recieve
	calls inside the firewall unless you forward the inbound connection requests -- 
	the gnomemeeting website has some good rules on their faq pages that can help
	with netmeeting requests as well.  Check out openh323.org for gatekeeper applications
	that can act as proxy for connection requests, thus mitigating functionality problems.  
	MS netmeeting also uses UPNP -- this protocol has been discussed on this list previously, 	
	and you might want to read up on that as well.

	Alistair Tonner
	
	since my sig is on vacation, anyone care to fill this space?

>
> Regards,
> Norman

Re: Iptables and Kernel

[Norman Zhang]

>>>>Is iptables still needed for kernel 2.6.x? I see a lot of iptables
>>>>patches go into the kernel, but not much updates on the
>>>>www.netfilter.org. The logo on netfilter says firewalling, NAT and
>>>>packet mangling for Linux 2.4. So I guess much of the code goes directly
>>>>into the kernel? Also does kernel 2.6.3 support Netmeeting and MSN
>>>>Instant Messengener, or I need the following plug-in,
>>>>http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/?
>>>
>>>1) iptables is the userspace component.  Yes it is still needed in 2.6.x
>>>-- you still have to use it to setup and manage individual rules.
>>>
>>>2) 2.6.x indeed supports many components of netfilter out of the box,
>>>however there is still patch-o-matic-ng which can still add functionality
>>>not yet in the kernel or in userspace.
>>>
>>>3) No, you do not need patches from newnat-suite by default, you need
>>>ip_conntrack_h323 and ip_nat_h323, although you might need newnat if your
>>>iptables is really old.
>>
>>I'm using iptables-1.2.9-5mdk.i586.rpm on LM10.0. The latest on
>>www.netfilter.org is 1.2.9. I guess those 2 modules is included in 1.2.9?
>>
>>>Keep in mind that *support* of netmeeting in this case is a loose
>>>terminology -- I believe that several functionalities are not covered by
>>>the h323 patches.
>>
>>All I wanted is the ability to see video & audio for both incoming and
>>outgoing calls. Is that supported in iptables-1.2.9? Do I need to apply
>>pom-ng on top of iptables?
> 
>Looking at my kernel tarball, the bare 2.6.3 kernel does NOT include the h323 modules.
>I would say you need patches in p-o-m -- I'm not sure if mandrake has a package for
>p-o-m or not, but yes you need to add h323 modules.

I just downloaded 2.6.5, may I ask where should I check to see if h323 
modules are included? On www.netfilter.org, I see pom-20031219 and 
pomng-20040302. Is it safe to assume, that pomng includes pom?

>IIRC, netmeeting should provide video/audio with conntrack and nat of h323 and relevant
>ESTABLISHED,RELATED rules.  -- be aware that you may not be able to recieve
>calls inside the firewall unless you forward the inbound connection requests -- 
>the gnomemeeting website has some good rules on their faq pages that can help
>with netmeeting requests as well.  Check out openh323.org for gatekeeper applications
>that can act as proxy for connection requests, thus mitigating functionality problems.  
>MS netmeeting also uses UPNP -- this protocol has been discussed on this list previously, 	
>and you might want to read up on that as well.

Thank you so much. I will read up on them.

Regards,
Norman

Re: Iptables and Kernel

[Antony Stone]

On Monday 12 April 2004 6:05 pm, Norman Zhang wrote:

> I just downloaded 2.6.5, may I ask where should I check to see if h323
> modules are included? On www.netfilter.org, I see pom-20031219 and
> pomng-20040302. Is it safe to assume, that pomng includes pom?

You might find the following postings from the archives relevant here:

http://lists.netfilter.org/pipermail/netfilter/2003-December/049362.html

http://lists.netfilter.org/pipermail/netfilter/2003-December/049310.html

Regards,

Antony

-- 
What is this talk of "software release"?
Our software evolves and matures until it is capable of escape, leaving a 
bloody trail of designers and quality assurance people in its wake.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Iptables and Kernel

[Norman Zhang]

Antony Stone wrote:
> On Monday 12 April 2004 6:05 pm, Norman Zhang wrote:
>>I just downloaded 2.6.5, may I ask where should I check to see if h323
>>modules are included? On www.netfilter.org, I see pom-20031219 and
>>pomng-20040302. Is it safe to assume, that pomng includes pom?
> 
> You might find the following postings from the archives relevant here:
> 
> http://lists.netfilter.org/pipermail/netfilter/2003-December/049362.html
> 
> http://lists.netfilter.org/pipermail/netfilter/2003-December/049310.html

Thank you so much. From the postings, it looks like 2.6.x is still 
lacking some features that are available in 2.4.x. I'm setting up a 
firewall with NAT and hoping to able to do Netmeeting and MSN Instant 
Messenger. Would 2.4.x's netfilter patches sufficient to protect my LAN?

Regards,
Norman

Re: Iptables and Kernel

[Unknown, Alistair Tonner]

On April 12, 2004 03:07 pm, Norman Zhang wrote:
> Antony Stone wrote:
> > On Monday 12 April 2004 6:05 pm, Norman Zhang wrote:
> >>I just downloaded 2.6.5, may I ask where should I check to see if h323
> >>modules are included? On www.netfilter.org, I see pom-20031219 and
> >>pomng-20040302. Is it safe to assume, that pomng includes pom?
> >
> > You might find the following postings from the archives relevant here:
> >
> > http://lists.netfilter.org/pipermail/netfilter/2003-December/049362.html
> >
> > http://lists.netfilter.org/pipermail/netfilter/2003-December/049310.html
>
> Thank you so much. From the postings, it looks like 2.6.x is still
> lacking some features that are available in 2.4.x. I'm setting up a
> firewall with NAT and hoping to able to do Netmeeting and MSN Instant
> Messenger. Would 2.4.x's netfilter patches sufficient to protect my LAN?
	
	I'm running 2.6.3. with iptables 1.2.9 and p-o-m-ng h323 patch -- they work
	for me -- but I'm referring to a home lan ond only one netmeeting seesioon 
	from the LAN  -- we haven't tried multiple sessions from inside the lan ... 
	either to the same netmeeting sessioon or to different ones.

		
	Alistair Tonner

>
> Regards,
> Norman

Re: Iptables and Kernel

[Norman Zhang]

>>>>I just downloaded 2.6.5, may I ask where should I check to see if h323
>>>>modules are included? On www.netfilter.org, I see pom-20031219 and
>>>>pomng-20040302. Is it safe to assume, that pomng includes pom?
>>>
>>>You might find the following postings from the archives relevant here:
>>>
>>>http://lists.netfilter.org/pipermail/netfilter/2003-December/049362.html
>>>
>>>http://lists.netfilter.org/pipermail/netfilter/2003-December/049310.html
>>
>>Thank you so much. From the postings, it looks like 2.6.x is still
>>lacking some features that are available in 2.4.x. I'm setting up a
>>firewall with NAT and hoping to able to do Netmeeting and MSN Instant
>>Messenger. Would 2.4.x's netfilter patches sufficient to protect my LAN?
> 	
>I'm running 2.6.3. with iptables 1.2.9 and p-o-m-ng h323 patch -- they work
>for me -- but I'm referring to a home lan ond only one netmeeting seesioon 
>from the LAN  -- we haven't tried multiple sessions from inside the lan ... 
>either to the same netmeeting sessioon or to different ones.

I'm trying to compile p-o-m-ng with 2.6.5 now. It asks for iptables 
sources. I thought p-o-m-ng patches applies to the kernel only. Do I 
need to recompile iptables too? There are many patches in p-o-m-ng. I 
only need the h323 patch for Netmeeting to work correctly? The README 
from p-o-m-ng recommends the following command to patch the kernel,

# KERNEL_DIR=/usr/src/linux ./runme -pending

Do I need to worry about rejects and offsets?

Regards,
Norman

Re: Iptables and Kernel

[Alistair Tonner]

On April 18, 2004 03:53 pm, Norman Zhang wrote:
> >>>>I just downloaded 2.6.5, may I ask where should I check to see if h323
> >>>>modules are included? On www.netfilter.org, I see pom-20031219 and
> >>>>pomng-20040302. Is it safe to assume, that pomng includes pom?
> >>>
> >>>You might find the following postings from the archives relevant here:
> >>>
> >>>http://lists.netfilter.org/pipermail/netfilter/2003-December/049362.html
> >>>
> >>>http://lists.netfilter.org/pipermail/netfilter/2003-December/049310.html
> >>
> >>Thank you so much. From the postings, it looks like 2.6.x is still
> >>lacking some features that are available in 2.4.x. I'm setting up a
> >>firewall with NAT and hoping to able to do Netmeeting and MSN Instant
> >>Messenger. Would 2.4.x's netfilter patches sufficient to protect my LAN?
> >
> >I'm running 2.6.3. with iptables 1.2.9 and p-o-m-ng h323 patch -- they
> > work for me -- but I'm referring to a home lan ond only one netmeeting
> > seesioon from the LAN  -- we haven't tried multiple sessions from inside
> > the lan ... either to the same netmeeting sessioon or to different ones.
>
> I'm trying to compile p-o-m-ng with 2.6.5 now. It asks for iptables
> sources. I thought p-o-m-ng patches applies to the kernel only. Do I
> need to recompile iptables too? There are many patches in p-o-m-ng. I
> only need the h323 patch for Netmeeting to work correctly? The README
> from p-o-m-ng recommends the following command to patch the kernel,
>
> # KERNEL_DIR=/usr/src/linux ./runme -pending
>
> Do I need to worry about rejects and offsets?

	Yes you need to apply some of the patches in pom-ng against the iptables 
sources.
   Not only do we change the kernel code, but we have to make some changes to 
the iptables tools as well to get some of those to work

	 For the record, with both 2.6.3. and 2.6.5 from gentoo with the gaming 
options, iptables 1.2.9 and pom-ng play nice for most things.  

	If something doesn't apply against plain jane kernel code, there is likely a 
need to holler at the maintainer of the patch.

	Alistair Tonner

>
> Regards,
> Norman

Re: Iptables and Kernel

[Norman Zhang]

>>I'm trying to compile p-o-m-ng with 2.6.5 now. It asks for iptables
>>sources. I thought p-o-m-ng patches applies to the kernel only. Do I
>>need to recompile iptables too? There are many patches in p-o-m-ng. I
>>only need the h323 patch for Netmeeting to work correctly? The README
>>from p-o-m-ng recommends the following command to patch the kernel,
>>
>># KERNEL_DIR=/usr/src/linux ./runme -pending
>>
>>Do I need to worry about rejects and offsets?
> 
>Yes you need to apply some of the patches in pom-ng against the
>iptables sources. Not only do we change the kernel code, but we have
>to make some changes to the iptables tools as well to get some of
>to work

Thank you so much for your quick response. I've iptables RPM already 
installed with Mandrake. I guess I will need to remove that first before 
compiling the new iptables. I plan to use Shorewall to configure my 
firewall. Will removing iptables RPM break anything? I see iptables is 
included as startup option during boot under Mandrake. After recompiling 
iptables, do I need to reconfigure all those options?

>For the record, with both 2.6.3. and 2.6.5 from gentoo with the gaming 
>options, iptables 1.2.9 and pom-ng play nice for most things.  
> 
>If something doesn't apply against plain jane kernel code, there is 
>likely a need to holler at the maintainer of the patch.

Regards,
Norman

Re: Iptables and Kernel

[Alistair Tonner]

On April 18, 2004 04:27 pm, Norman Zhang wrote:
> >>I'm trying to compile p-o-m-ng with 2.6.5 now. It asks for iptables
> >>sources. I thought p-o-m-ng patches applies to the kernel only. Do I
> >>need to recompile iptables too? There are many patches in p-o-m-ng. I
> >>only need the h323 patch for Netmeeting to work correctly? The README
> >>from p-o-m-ng recommends the following command to patch the kernel,
> >>
> >># KERNEL_DIR=/usr/src/linux ./runme -pending
> >>
> >>Do I need to worry about rejects and offsets?
> >
> >Yes you need to apply some of the patches in pom-ng against the
> >iptables sources. Not only do we change the kernel code, but we have
> >to make some changes to the iptables tools as well to get some of
> >to work
>
> Thank you so much for your quick response. I've iptables RPM already
> installed with Mandrake. I guess I will need to remove that first before
> compiling the new iptables. I plan to use Shorewall to configure my
> firewall. Will removing iptables RPM break anything? I see iptables is
> included as startup option during boot under Mandrake. After recompiling
> iptables, do I need to reconfigure all those options?

	I'm not a Mandrake user, so I'm no expert, but I would suspect that you might 
	need to check the paths involved in that startup script.  I know that by
	default Slackware installs iptables in /usr/local/ and I by my weird nature
	want it in / ( I want that firewall up and running FIRST dammit)... so .. 
	go get all the required sources, (iptables, pom-ng and if you need it the 
	kernel bits) shutdown that internet connection, remove the RPM of iptables 
	(but keep the file for it handy) and go ahead .... best practice rules apply
	 in all processes like this -- make a backup of some sort FIRST. so you can 
	go back if need be.

	Shorewall is well done, and well supported by others on this list.
	I'm not so sure what options Drake offers for configuration, so ... 

	Alistair Tonner.


>
> >For the record, with both 2.6.3. and 2.6.5 from gentoo with the gaming
> >options, iptables 1.2.9 and pom-ng play nice for most things.
> >
> >If something doesn't apply against plain jane kernel code, there is
> >likely a need to holler at the maintainer of the patch.
>
> Regards,
> Norman

Re: Iptables and Kernel

[Norman Zhang]

>I'm running 2.6.3. with iptables 1.2.9 and p-o-m-ng h323 patch -- they work
>for me -- but I'm referring to a home lan ond only one netmeeting seesioon 
>from the LAN  -- we haven't tried multiple sessions from inside the lan ... 
>either to the same netmeeting sessioon or to different ones.

Sorry it is me again. I tried to compile pomng using

# KERNEL_DIR=/usr/src/linux ./runme pending
# KERNEL_DIR=/usr/src/linux ./runme base
# KERNEL_DIR=/usr/src/linux ./runme extend

but couldn't find h323-conntrack-nat patch being offered. I did see 
owner-socketlookup mention something about H.323. May I ask how do I 
applied h323-conntrack-nat patch to iptables and kernel-2.6.5 alone? I 
can see the subfolder h323-conntrack-nat under pomng.

Regards,
Norman

Re: Iptables and Kernel

[Alistair Tonner]

On April 19, 2004 04:34 am, Norman Zhang wrote:
> >I'm running 2.6.3. with iptables 1.2.9 and p-o-m-ng h323 patch -- they
> > work for me -- but I'm referring to a home lan ond only one netmeeting
> > seesioon from the LAN  -- we haven't tried multiple sessions from inside
> > the lan ... either to the same netmeeting sessioon or to different ones.
>
> Sorry it is me again. I tried to compile pomng using
>
> # KERNEL_DIR=/usr/src/linux ./runme pending
> # KERNEL_DIR=/usr/src/linux ./runme base
> # KERNEL_DIR=/usr/src/linux ./runme extend
>
> but couldn't find h323-conntrack-nat patch being offered. I did see
> owner-socketlookup mention something about H.323. May I ask how do I
> applied h323-conntrack-nat patch to iptables and kernel-2.6.5 alone? I
> can see the subfolder h323-conntrack-nat under pomng.

	Okay -- I'm a twit --- I'd assumed since my loadup script was completed 
without errors that things had worked all the way through ... looking again 
it seems that the h323 stuff only applies against 2.4.x kernels -- Joseph K.
hasn't ported it -- likely because its slightly hackish .. And Lord KNOWS why
netmeeting is working through my firewall ... other than the fact of a good 
old ESTABLISHED RELATED rule ... I do know that it only works outbound, if 
someone wants to call into the LAN they have to call on a specific port and I 
have that port forwarded to the destination host.

	As such, this is Yet Another Thing I might look at.


	Alistair Tonner

>
> Regards,
> Norman

Re: Iptables and Kernel

[Norman Zhang]

>>>I'm running 2.6.3. with iptables 1.2.9 and p-o-m-ng h323 patch -- they
>>>work for me -- but I'm referring to a home lan ond only one netmeeting
>>>seesioon from the LAN  -- we haven't tried multiple sessions from inside
>>>the lan ... either to the same netmeeting sessioon or to different ones.
>>
>>Sorry it is me again. I tried to compile pomng using
>>
>># KERNEL_DIR=/usr/src/linux ./runme pending
>># KERNEL_DIR=/usr/src/linux ./runme base
>># KERNEL_DIR=/usr/src/linux ./runme extend
>>
>>but couldn't find h323-conntrack-nat patch being offered. I did see
>>owner-socketlookup mention something about H.323. May I ask how do I
>>applied h323-conntrack-nat patch to iptables and kernel-2.6.5 alone? I
>>can see the subfolder h323-conntrack-nat under pomng.
> 
> 	Okay -- I'm a twit --- I'd assumed since my loadup script was completed 
> without errors that things had worked all the way through ... looking again 
> it seems that the h323 stuff only applies against 2.4.x kernels -- Joseph K.
> hasn't ported it -- likely because its slightly hackish .. And Lord KNOWS why
> netmeeting is working through my firewall ... other than the fact of a good 
> old ESTABLISHED RELATED rule ... I do know that it only works outbound, if 
> someone wants to call into the LAN they have to call on a specific port and I 
> have that port forwarded to the destination host.

I'm now using kernel 2.4.26. Now when I run

# KERNEL_DIR=/usr/src/linux ./runme extra

I do see h323-conntrack-nat patch. When I do a 'make xconfig' for the 
kernel source, under Networking/Netfilter... I can't find the H.323 
option. But other options like ECN, ..., etc. are available. Is this 
correct?

Regards,
Norman

Re: Iptables and Kernel

[Geffrey Velasquez]

Norman Zhang escribió:

>>>> I'm running 2.6.3. with iptables 1.2.9 and p-o-m-ng h323 patch -- they
>>>> work for me -- but I'm referring to a home lan ond only one netmeeting
>>>> seesioon from the LAN  -- we haven't tried multiple sessions from 
>>>> inside
>>>> the lan ... either to the same netmeeting sessioon or to different 
>>>> ones.
>>>
>>>
>>> Sorry it is me again. I tried to compile pomng using
>>>
>>> # KERNEL_DIR=/usr/src/linux ./runme pending
>>> # KERNEL_DIR=/usr/src/linux ./runme base
>>> # KERNEL_DIR=/usr/src/linux ./runme extend
>>>
>>> but couldn't find h323-conntrack-nat patch being offered. I did see
>>> owner-socketlookup mention something about H.323. May I ask how do I
>>> applied h323-conntrack-nat patch to iptables and kernel-2.6.5 alone? I
>>> can see the subfolder h323-conntrack-nat under pomng.
>>
>>
>>     Okay -- I'm a twit --- I'd assumed since my loadup script was 
>> completed without errors that things had worked all the way through 
>> ... looking again it seems that the h323 stuff only applies against 
>> 2.4.x kernels -- Joseph K.
>> hasn't ported it -- likely because its slightly hackish .. And Lord 
>> KNOWS why
>> netmeeting is working through my firewall ... other than the fact of 
>> a good old ESTABLISHED RELATED rule ... I do know that it only works 
>> outbound, if someone wants to call into the LAN they have to call on 
>> a specific port and I have that port forwarded to the destination host.
>
>
> I'm now using kernel 2.4.26. Now when I run
>
> # KERNEL_DIR=/usr/src/linux ./runme extra
>
> I do see h323-conntrack-nat patch. When I do a 'make xconfig' for the 
> kernel source, under Networking/Netfilter... I can't find the H.323 
> option. But other options like ECN, ..., etc. are available. Is this 
> correct?
>
> Regards,
> Norman
>
>
>

Hi have the same problem, but with 2.4.25

Regards,
Geffrey

Re: Iptables and Kernel

[Norman Zhang]

>>> Sorry it is me again. I tried to compile pomng using
>>>
>>> # KERNEL_DIR=/usr/src/linux ./runme pending
>>> # KERNEL_DIR=/usr/src/linux ./runme base
>>> # KERNEL_DIR=/usr/src/linux ./runme extend
>>>
>>> but couldn't find h323-conntrack-nat patch being offered. I did see
>>> owner-socketlookup mention something about H.323. May I ask how do I
>>> applied h323-conntrack-nat patch to iptables and kernel-2.6.5 alone? I
>>> can see the subfolder h323-conntrack-nat under pomng.
>>
>>     Okay -- I'm a twit --- I'd assumed since my loadup script was 
>> completed without errors that things had worked all the way through 
>> ... looking again it seems that the h323 stuff only applies against 
>> 2.4.x kernels -- Joseph K. hasn't ported it -- likely because its
>> slightly hackish .. And Lord KNOWS why netmeeting is working through
>> my firewall ... other than the fact of a good old ESTABLISHED RELATED
>> rule ... I do know that it only works outbound, if someone wants to
>> call into the LAN they have to call on a specific port and I have that
>> port forwarded to the destination host.
> 
> I'm now using kernel 2.4.26. Now when I run
> 
> # KERNEL_DIR=/usr/src/linux ./runme extra
> 
> I do see h323-conntrack-nat patch. When I do a 'make xconfig' for the 
> kernel source, under Networking/Netfilter... I can't find the H.323 
> option. But other options like ECN, ..., etc. are available. Is this 
> correct?

I found the cause, for some apparent reason, the option is added to the 
configurable option under Networking/Netfilter. But the patch is applied 
to net/ipv4/netfilter/. So when in and added the entry myself to make it 
configurable under Config.in. I hope I did it right, now I'm just trying 
to figure why kernel stalls when it boots.

Regards,
Norman

Iptables and Kernel

[Norman Zhang]

Hi,

Is iptables still needed for kernel 2.6.x? I see a lot of iptables 
patches go into the kernel, but not much updates on the 
www.netfilter.org. The logo on netfilter says firewalling, NAT and 
packet mangling for Linux 2.4. So I guess much of the code goes directly 
into the kernel? Also does kernel 2.6.3 support Netmeeting and MSN 
Instant Messengener, or I need the following plug-in, 
http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/?

Regards,
Norman