netmeeting ?

netmeeting ?

[Corin Langosch]

Hi all,

im behind a iptables firewall and want to be able to accept incomming netmeeting
calls. To make things simple I added the following rules:

$IPTABLES -t nat -A PREROUTING -p tcp --dport ! 80 -j DNAT --source 217.229.94.141 --to 192.168.1.3
$IPTABLES -t nat -A PREROUTING -p udp --dport ! 80 -j DNAT --source 217.229.94.141 --to 192.168.1.3
$IPTABLES -A FORWARD -p tcp -d 192.168.1.3 --dport ! 80 -j ACCEPT
$IPTABLES -A FORWARD -p udp -d 192.168.1.3 --dport ! 80 -j ACCEPT

unluckily, no incomming calls are detected and the other party gets an error.
other programms like my local ftp server etc. work fine, this means the
rules are correct.

can anyone help me please ?

thanks,
Corin

Re: netmeeting ?

[Antony Stone]

On Sunday 16 June 2002 6:54 pm, Corin Langosch wrote:

> Hi all,
>
> im behind a iptables firewall and want to be able to accept incomming
> netmeeting calls. To make things simple I added the following rules:

[snip]

> unluckily, no incomming calls are detected and the other party gets an
> error. other programms like my local ftp server etc. work fine, this means
> the rules are correct.

It means the rules are correct for ftp, yes, but that's not necessarily true 
for every other protocol you might want to put through your firewall...

Netmeeting is one of those protocols which buries IP addresses & port numbers 
inside the messages, therefore it needs a helper on the firewall to NAT it 
properly.

You should look at the h323 patch in a *very* recent version of netfilter 
(1.2.6a or 1.2.7 from CVS), and also look back through some of the recent 
messages on this mailing list, because there have been a number of posts from 
people trying to get it working / failing to get it working / reporting 
success in getting it working.....

Sorry I can't offer you any direct advice, but I don't use netmeeting - I've 
just seen all the posts on the mailing list from other people who've done the 
same thing you want to.

 

Antony.

Re[2]: netmeeting ?

[Corin Langosch]

Hi !

thanks for the fast reply...i'm going to look for these messages.
but i don't really understand the problem. even if netmeeting uses
different ports, it must work i assume, when i forward the traffic
of *all* ports from the caller's ip to my pc behind the fireall.
(this is what my rules do: forward all traffic from a specified ip
execept data on port 80)
or does netmeeting use other protocols than tcp or udp which i
also have to forward ??

thanks,
Corin

Check it out => http://www.find-mich.net

Sunday, June 16, 2002, 8:07:12 PM, you wrote:
AS> On Sunday 16 June 2002 6:54 pm, Corin Langosch wrote:

>> Hi all,
>>
>> im behind a iptables firewall and want to be able to accept incomming
>> netmeeting calls. To make things simple I added the following rules:

AS> [snip]

>> unluckily, no incomming calls are detected and the other party gets an
>> error. other programms like my local ftp server etc. work fine, this means
>> the rules are correct.

AS> It means the rules are correct for ftp, yes, but that's not necessarily true 
AS> for every other protocol you might want to put through your firewall...

AS> Netmeeting is one of those protocols which buries IP addresses & port numbers 
AS> inside the messages, therefore it needs a helper on the firewall to NAT it 
AS> properly.

AS> You should look at the h323 patch in a *very* recent version of netfilter 
AS> (1.2.6a or 1.2.7 from CVS), and also look back through some of the recent 
AS> messages on this mailing list, because there have been a number of posts from 
AS> people trying to get it working / failing to get it working / reporting 
AS> success in getting it working.....

AS> Sorry I can't offer you any direct advice, but I don't use netmeeting - I've 
AS> just seen all the posts on the mailing list from other people who've done the 
AS> same thing you want to.

 

AS> Antony.

Re: Re[2]: netmeeting ?

[Antony Stone]

On Sunday 16 June 2002 7:20 pm, Corin Langosch wrote:

> Hi !
>
> thanks for the fast reply...i'm going to look for these messages.
> but i don't really understand the problem. even if netmeeting uses
> different ports, it must work i assume, when i forward the traffic
> of *all* ports from the caller's ip to my pc behind the fireall.

If that is all you were doing, then you are correct, netmeeting would 'just 
work'.

However, you are also doing Address Translation, and that makes things a 
whole lot more complicated.....

> or does netmeeting use other protocols than tcp or udp which i
> also have to forward ??

No, as far as I know netmeeting is purely TCP based, but imagine the 
following:

MachineA on real IP 192.168.1.2 contacts MachineB on routable IP 11.22.33.44 
via a NATting firewall.   Unknown to A, MachineB is also behind a NATting 
firewall, and its real address is 192.168.99.4

Part of the message which A sends to B says "My IP address is 192.168.1.2, 
and I've opened up TCP port 12345 for you to talk to me.   Please send your 
next packets to that IP/port and we can set upa communication."

Now if the firewall doesn't have a helper for this protocol which understands 
the format of a message such as this, and can change the addresses 
accordingly, it will simply go to MachineB as it is, and MachineB will do as 
it's told - try to contact 192.168.1.2 port 12345, which is unroutable; 
therefore the communication fails.

I don't know the details of netmeeting or h323, but the above gives you an 
idea of why some protocols are more complicated to send through a NATting 
firewall than others.

 

Antony.

Re: Re[2]: netmeeting ?

[Tony Earnshaw]

[-- Attachment #1: Type: text/plain, Size: 1015 bytes --]

søn, 2002-06-16 kl. 20:20 skrev Corin Langosch:

> or does netmeeting use other protocols than tcp or udp which i
> also have to forward ??

Yes, h323. Do please take what antony said serioulsy.

Look at www.microsoft.com/netmeeting;

Consult "support" there. This is a known problem with all NAT providers,
not only iptables, but IPFilter (IPF used by old BSD and SCO Open Server
5.5 and above) and others (new BSD: PF). You are *not* the only person
in the world wanting this to work :-)

An awful lot has been done trying to make Netmeeting work for the
Netfilter people who want it, and it is only just beginning to work for
them!

Do consult the netfilter@lists.samba.org archive.

Best,

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981



[-- Attachment #2: Dette er en digitalt signert meldingsdel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]