RE: More H.323 questions

RE: More H.323 questions

[George Vieira]

You need:

insmod ip_conntrack_h323
insmod ip_nat_h323

or something like that... I have it and it works..

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

-----Original Message-----
From: Mark Goldberg [mailto:goldber@globalcrossing.net]
Sent: Tuesday, September 02, 2003 3:37 PM
To: netfilter@lists.netfilter.org
Subject: More H.323 questions

Re: More H.323 questions

[Ramin Dousti]

On Thu, Sep 04, 2003 at 08:44:29AM +1000, George Vieira wrote:

> You need:
> 
> insmod ip_conntrack_h323
> insmod ip_nat_h323
> 
> or something like that... I have it and it works..

If you have it and it works then we expect to not hear "or something like that"
but a more specific answer...

Ramin

> 
> Thanks,

Re: More H.323 questions

[DALive Editor]

Where can I download

ip_conntrack_h323
ip_nat_h323

and how do I install them? 

Thank you.


Ramin Dousti wrote:

>On Thu, Sep 04, 2003 at 08:44:29AM +1000, George Vieira wrote:
>
>  
>
>>You need:
>>
>>insmod ip_conntrack_h323
>>insmod ip_nat_h323
>>
>>or something like that... I have it and it works..
>>    
>>
>
>If you have it and it works then we expect to not hear "or something like that"
>but a more specific answer...
>
>Ramin
>
>  
>
>>Thanks,
>>    
>>
>
>
>  
>

RE: More H.323 questions

[George Vieira]

Ramin, chill out. It was off the top of my head and I remembered there were 2 modules that needed loading.
The user only needs to check his docs for this and confirm he has 2 modules loaded if they were compiled as modules.

I've answered this exactly the same way once before and even then a user replied to me personally and said "I only had one loaded" whether or not the spelling of the module name was correct or not.. the point was more that there needs to be 2 modules for it to work..

Hence, I've connected home to my H323 machine just to confirm my finding and I was right...

        /sbin/insmod ip_conntrack_h323 >/dev/null 2>&1
        /sbin/insmod ip_nat_h323 >/dev/null 2>&1

And for the archives, I've added my rules.. Now lets see how many vague questions we're going to get asking the exact same problem/request to get working...

       $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 389    -j DNAT --to 192.168.1.1        # H323
       $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 522    -j DNAT --to 192.168.1.1        # H323
       $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1503   -j DNAT --to 192.168.1.1        # H323
       $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1720   -j DNAT --to 192.168.1.1        # H323
       $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1731   -j DNAT --to 192.168.1.1        # H323
       $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 8080   -j DNAT --to 192.168.1.1        # H323
       $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1469   -j DNAT --to 192.168.1.1        # H323audio?

-----Original Message-----
From: Ramin Dousti [mailto:ramin@cannon.eng.us.uu.net]
Sent: Thursday, September 04, 2003 11:13 AM
To: George Vieira
Cc: Mark Goldberg; netfilter@lists.netfilter.org
Subject: Re: More H.323 questions


On Thu, Sep 04, 2003 at 08:44:29AM +1000, George Vieira wrote:

> You need:
> 
> insmod ip_conntrack_h323
> insmod ip_nat_h323
> 
> or something like that... I have it and it works..

If you have it and it works then we expect to not hear "or something like that"
but a more specific answer...

Ramin

> 
> Thanks,

Re: More H.323 questions

[Ramin Dousti]

Way to go, George. If someone could FAQ this...

On Thu, Sep 04, 2003 at 11:50:55AM +1000, George Vieira wrote:

> Ramin, chill out. It was off the top of my head and I remembered there were 2 modules that needed loading.
> The user only needs to check his docs for this and confirm he has 2 modules loaded if they were compiled as modules.
> 
> I've answered this exactly the same way once before and even then a user replied to me personally and said "I only had one loaded" whether or not the spelling of the module name was correct or not.. the point was more that there needs to be 2 modules for it to work..
> 
> Hence, I've connected home to my H323 machine just to confirm my finding and I was right...
> 
>         /sbin/insmod ip_conntrack_h323 >/dev/null 2>&1
>         /sbin/insmod ip_nat_h323 >/dev/null 2>&1
> 
> And for the archives, I've added my rules.. Now lets see how many vague questions we're going to get asking the exact same problem/request to get working...
> 
>        $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 389    -j DNAT --to 192.168.1.1        # H323
>        $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 522    -j DNAT --to 192.168.1.1        # H323
>        $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1503   -j DNAT --to 192.168.1.1        # H323
>        $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1720   -j DNAT --to 192.168.1.1        # H323
>        $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1731   -j DNAT --to 192.168.1.1        # H323
>        $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 8080   -j DNAT --to 192.168.1.1        # H323
>        $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1469   -j DNAT --to 192.168.1.1        # H323audio?

More H.323 questions

[Mark Goldberg]

I've built kernel 2.4.22 with the h.323 extensions from pom. Iptables is 1.2.8. I installed teh new kernel and included the following rules:

Basically, I want to only establish h.323 with a specific ip after I initiate it from an internal machine on the network normally using NAT.

/usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -m state --state RELATED --dport 1503 -i eth0 -j LOG --log-level 6 --log-prefix "1503 in "  >>/var/log/netfiltersetup.log 2>&1
/usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -m state --state RELATED --dport 1720 -i eth0 -j LOG --log-level 6 --log-prefix "1720 in "  >>/var/log/netfiltersetup.log 2>&1
/usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -i eth0 -j LOG --log-level 6 --log-prefix "Anything else in "  >>/var/log/netfiltersetup.log 2>&1

/usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -m state --state RELATED --dport 1503 -i eth0 -j DNAT --to $DEST  >>/var/log/netfiltersetup.log 2>&1
/usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -m state --state RELATED --dport 1720 -i eth0 -j DNAT --to $DEST  >>/var/log/netfiltersetup.log 2>&1

There are no errors in netfiltersetup.log.

Iptables -L -v -n does not show the rules, but iptables-save does show them.

Nothing is logged and it does not seem to work. Before the rules were added, incoming to 1503 and 1720 triggered another rule that logged them.

Ethereal does not show any packets coming in that match the above. It did before the rules were added.

If anyone has a suggestion or can explain why listing the rules does not show any PREROUTING or POSTROUTING rules, please let me know.

I'm basically at a loss as to what to do next. Troubleshooting tips are welcome. Thanks.



Mark Goldberg
goldber@globalcrossing.net

Re: More H.323 questions

[Beppe]

Hi Mark,

Mark Goldberg wrote:

> I've built kernel 2.4.22 with the h.323 extensions from pom. Iptables is 1.2.8. I installed teh new kernel and included the following rules:
> 
> Basically, I want to only establish h.323 with a specific ip after I initiate it from an internal machine on the network normally using NAT.
> 
> /usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -m state --state RELATED --dport 1503 -i eth0 -j LOG --log-level 6 --log-prefix "1503 in "  >>/var/log/netfiltersetup.log 2>&1
> /usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -m state --state RELATED --dport 1720 -i eth0 -j LOG --log-level 6 --log-prefix "1720 in "  >>/var/log/netfiltersetup.log 2>&1
> /usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -i eth0 -j LOG --log-level 6 --log-prefix "Anything else in "  >>/var/log/netfiltersetup.log 2>&1
> 
> /usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -m state --state RELATED --dport 1503 -i eth0 -j DNAT --to $DEST  >>/var/log/netfiltersetup.log 2>&1
> /usr/local/sbin/iptables -t nat -A PREROUTING -s $SRC -p tcp -m state --state RELATED --dport 1720 -i eth0 -j DNAT --to $DEST  >>/var/log/netfiltersetup.log 2>&1
> 

Check if your h.323 module is loaded, do lsmod (if its a module) if not 
modprobe it.

I don't realy know but, shouldn't the state be ESTABLISHD and RELATED?

> There are no errors in netfiltersetup.log.

There ar no errors :)

> 
> Iptables -L -v -n does not show the rules, but iptables-save does show them.

The default table is filter you have just appended in the nat table

try
iptables -L PREROUTING -t nat -v -n

> 
> Nothing is logged and it does not seem to work. Before the rules were added, incoming to 1503 and 1720 triggered another rule that logged them.
> Ethereal does not show any packets coming in that match the above. It did before the rules were added.
> 
> If anyone has a suggestion or can explain why listing the rules does not show any PREROUTING or POSTROUTING rules, please let me know.
> 
> I'm basically at a loss as to what to do next. Troubleshooting tips are welcome. Thanks.
> 
> 
> 
> Mark Goldberg
> goldber@globalcrossing.net
> 
> 

Take care,
::Beppe