H.323 Masquerading

H.323 Masquerading

[Christian H. Kuhn]

Hi,

Problem: small network, debian sarge router, kernel 2.4.19 from
kernel.org (not the debian version), iptables. 2 Clients, one Debian
sid or Win98SE, the other Win2k. NetMeeting on both Win-Clients.

On http://www.gnomemeeting.org/faq.php i found a link to
http://roeder.goe.net/~koepi/newnat.html. I downloaded the patch and
followed the instructions: vanilla kernel 2.4.19 unpacked to
/usr/src/linux (not really, but symlink set), iptables 1.2.7a
downloaded and unpacked, kernel patched, in KERNEL_DIR make
menuconfig, in iptables/ make KERNEL_DIR=/usr/src/linux BINDIR=/sbin
LIBDIR=/lib MANDIR=/usr/share/man, make install with same parameters,
in KERNEL_DIR make dep clean bzImage modules modules_install. No
errors, router is running after reboot.

Modules loaded:
ns:~# lsmod
Module                  Size  Used by    Not tainted
ip_nat_h323             3068   0  (unused)
ip_conntrack_h323       2976   1  [ip_nat_h323]
ipt_MASQUERADE          1688   1  (autoclean)
ipt_LOG                 3160   1  (autoclean)
ipt_state                600   1  (autoclean)
iptable_filter          1672   1  (autoclean)
ip_nat_ftp              3280   0  (unused)
iptable_nat            18840   3  [ip_nat_h323 ipt_MASQUERADE ip_nat_ftp]
ip_conntrack_irc        3152   0  (unused)
ip_conntrack_ftp        3984   1  [ip_nat_ftp]
ip_conntrack           23744   5  [ip_nat_h323 ip_conntrack_h323 ipt_MASQUERADE ipt_state ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
ip_tables              12728   7  [ipt_MASQUERADE ipt_LOG ipt_state iptable_filter iptable_nat]

I connect with NetMeeting from one Client to an ILS server. The entry
in the directory appears. I can call other people, but only chat is
possible, no sound or video. I cannot be called from other people.  In
/var/log/syslog, i find:

Oct 11 17:12:40 ns kernel: ASSERT ip_conntrack_core.c:94 &ip_conntrack_lock_R71150de5 readlocked
Oct 11 17:12:40 ns kernel: ASSERT ip_nat_core.c:739 &ip_conntrack_lock not readlocked
Oct 11 17:12:40 ns kernel: ASSERT ip_nat_core.c:739 &ip_conntrack_lock not readlocked
Oct 11 17:12:40 ns kernel: ASSERT: ip_nat_core.c:839 &ip_conntrack_lock not readlocked

repeated ad infinitum.

Masquerading is set up with:

FWVER=0.01
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth1"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
echo -en "   loading modules: "
echo "  - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en "ip_tables, "
/sbin/insmod ip_tables
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
echo -en "ip_conntrack_h323, "
/sbin/insmod ip_conntrack_h323
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
echo -en "ip_nat_h323, "
/sbin/insmod ip_nat_h323
echo ".  Done loading modules."
echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

Any hints?

TIA,
Chris
-- 
http://www.qno.de
ICQ 57840861

H.323 masquerading

[Christian H. Kuhn]

Hi,

Problem: small network, Debian sarge router, kernel 2.4.19, iptables. Two clients,
one Debian sid or Win98SE, the other Win2k. NetMeeting on both Win
clients.

On http://www.gnomemeeting.org/faq.php i found a link to
http://roeder.goe.net/~koepi/newnat.html. I downloaded the patch, the
kernel 2.4.19 from kernel.org and iptables-1.2.7a. I unpacked all,
patched and configured the kernel, compiled and installed iptables
(setting paths so that the debian files are overwritten), compiled and
installed the kernel. After rebooting, everything seems to be fine.

Masquerading is set up as follows:

FWVER=0.01
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth1"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
echo -en "   loading modules: "
echo "  - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en "ip_tables, "
/sbin/insmod ip_tables
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
echo -en "ip_conntrack_h323, "
/sbin/insmod ip_conntrack_h323
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
echo -en "ip_nat_h323, "
/sbin/insmod ip_nat_h323
echo ".  Done loading modules."
echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

http, ftp, icq, ... are working. When trying NetMeeting, i can log
onto an ils server. When connecting to other people, i see in
/var/log/syslog:

Oct 11 17:12:40 ns kernel: ASSERT ip_conntrack_core.c:94 &ip_conntrack_lock_R71150de5 readlocked
Oct 11 17:12:40 ns kernel: ASSERT ip_nat_core.c:739 &ip_conntrack_lock not readlocked
Oct 11 17:12:40 ns kernel: ASSERT ip_nat_core.c:739 &ip_conntrack_lock not readlocked
Oct 11 17:12:40 ns kernel: ASSERT: ip_nat_core.c:839 &ip_conntrack_lock not readlocked

repeated ad infinitum. I can connect and chat, but no
video/audio. Other people cannot call me.

Any hints?

Kind regards,
Chris
-- 
http://www.qno.de
ICQ 57840861

Re: H.323 masquerading

[Christian H. Kuhn]

Hallo Kevin,

& Kevin McConnell <kevymac@yahoo.com> [2002-10-13 16:02]:
> > http, ftp, icq, ... are working. When trying
> > NetMeeting, i can log
> > onto an ils server. When connecting to other people,
> > i see in
> > /var/log/syslog:
> > 
> > Oct 11 17:12:40 ns kernel: ASSERT
> > ip_conntrack_core.c:94 &ip_conntrack_lock_R71150de5
> > readlocked
> > Oct 11 17:12:40 ns kernel: ASSERT ip_nat_core.c:739
> > &ip_conntrack_lock not readlocked
> > Oct 11 17:12:40 ns kernel: ASSERT ip_nat_core.c:739
> > &ip_conntrack_lock not readlocked
> > Oct 11 17:12:40 ns kernel: ASSERT: ip_nat_core.c:839
> > &ip_conntrack_lock not readlocked
> > 
> > repeated ad infinitum. I can connect and chat, but
> > no
> > video/audio. Other people cannot call me.
> 
> I believe that the reason everything else is working
> and not the H.323 stuff is because you need a seperate
> patch. There is an experimental patch that allows you
> to do this in the patch-o-matic system located in
> patch-o-matic-20020825/extra/h323* 

Ok, i recompiled the kernel (unpacking in a new directory) with the
p-o-m, using pending and additionally extra/h323*. Audio/Video is
enabled, but my ILS entry cannot be called.

Kind regards,
Chris
-- 
http://www.qno.de
ICQ 57840861

Re: H.323 Masquerading

[Alasdair Ramsay]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I used exatly the same patch with vanilla 2.4.19 but also patched with
freeswan, pax and LIDS(not active).  Build worked first time, exhibiting
the classic symptoms of one way audio untill the (newnat16v2) helper
module was compilled in.  Never got any errors apart from the occasional
out of order packets when tearing down connections.

One think I notice is that you are using MASQERADE not SNAT.  I was SNAT
~ and DNAT'ing this protocol.  I was also not loading the modules, all of
the networking options are compilled statically.

HTH

Alasdair Ramsay


Christian H. Kuhn wrote:
<LOTS>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9q9mw4+7BX0uR648RAopRAKCAMwz9XZNDhdqHxX9N0EU9udIplgCdEfK0
/iwKnLT4fBqsAw2to8W7iyE=
=bN6P
-----END PGP SIGNATURE-----

Re: H.323 Masquerading

[Carles Xavier Munyoz Baldó]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 15 October 2002 11:02, Alasdair Ramsay wrote:
> I used exatly the same patch with vanilla 2.4.19 but also patched with
> freeswan, pax and LIDS(not active).  Build worked first time, exhibiting
> the classic symptoms of one way audio untill the (newnat16v2) helper
> module was compilled in.  Never got any errors apart from the occasional
> out of order packets when tearing down connections.

Hi,
Please, may you tell me where may I found the (newnat16v2) helper module ?
Is it in the patch-o-matic ?
How can I install it ?

Greetings.
- ---
Carles Xavier Munyoz Baldó
carles@descom.es
Descom Consulting
Telf: +34 965861024
Fax: +34 965861024
http://www.descom.es/
- ---
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPa0cxDvYAf7VZNaaEQJ5OACgy23v2yMpjyfXVUIM6Kff1Vi+sx4An2Z1
zc882zrHeO/Xj/vvnCF3B2Bn
=rvWy
-----END PGP SIGNATURE-----