H.323 masquerading

["Christian H. Kuhn" <qno-netfilter@qno.de>]

Hi,

Problem: small network, Debian sarge router, kernel 2.4.19, iptables. Two clients,
one Debian sid or Win98SE, the other Win2k. NetMeeting on both Win
clients.

On http://www.gnomemeeting.org/faq.php i found a link to
http://roeder.goe.net/~koepi/newnat.html. I downloaded the patch, the
kernel 2.4.19 from kernel.org and iptables-1.2.7a. I unpacked all,
patched and configured the kernel, compiled and installed iptables
(setting paths so that the debian files are overwritten), compiled and
installed the kernel. After rebooting, everything seems to be fine.

Masquerading is set up as follows:

FWVER=0.01
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth1"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
echo -en "   loading modules: "
echo "  - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en "ip_tables, "
/sbin/insmod ip_tables
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
echo -en "ip_conntrack_h323, "
/sbin/insmod ip_conntrack_h323
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
echo -en "ip_nat_h323, "
/sbin/insmod ip_nat_h323
echo ".  Done loading modules."
echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

http, ftp, icq, ... are working. When trying NetMeeting, i can log
onto an ils server. When connecting to other people, i see in
/var/log/syslog:

Oct 11 17:12:40 ns kernel: ASSERT ip_conntrack_core.c:94 &ip_conntrack_lock_R71150de5 readlocked
Oct 11 17:12:40 ns kernel: ASSERT ip_nat_core.c:739 &ip_conntrack_lock not readlocked
Oct 11 17:12:40 ns kernel: ASSERT ip_nat_core.c:739 &ip_conntrack_lock not readlocked
Oct 11 17:12:40 ns kernel: ASSERT: ip_nat_core.c:839 &ip_conntrack_lock not readlocked

repeated ad infinitum. I can connect and chat, but no
video/audio. Other people cannot call me.

Any hints?

Kind regards,
Chris
-- 
http://www.qno.de
ICQ 57840861