Re: H323 Whiteboard with NAT and 2.4.18

Mon, 27 May 2002 00:28:47 -0700 

On 25 May 2002, Scott Waye wrote:

> This is my first post to this group so please bear with me.
> I have installed a 2.4.18 kernel with the latest (as of 24/5/02)
> iptables (1.2.7).  NetMeeting from an internal W2K NATed machine to
> another internal NATed machine across the internet appears to work ok
> (audio and video).    Both networks are running Linux 2.4.18 as the
> firewall.

The data conferencing (application sharing, whiteboard, etc) in netmeeting
requires T.120 (TCP port 1503).

> But the whiteboard and other features only work if we open all ports on
> at least one machine.  I also note that ethereal shows this:
>
>
> No    Time    Source  Destination     Protocol        Info
> 29    7.4564  choco   192.168.0.2     TCP             2313->1503 [SYN] ....
>
> Where choco is my machine, and 192.168.0.2 is the other machines
> internal ip address.  This SYN packet will presumably never arrive,
> indeed there is no ACK packet following.

This is strange for me: do you SNAT 192.168.2.7 to 192.168.0.2?

> My relevant rules are:
>
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,
> RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1720 -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1503 -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 389 -j ACCEPT
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 522 -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
>
> $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 1720 -j DNAT
> --to 192.168.2.7
> $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 1503 -j DNAT
> --to 192.168.2.7
> $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 389 -j DNAT --to
> 192.168.2.7
> $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 522 -j DNAT --to
> 192.168.2.7
>
> where 192.168.2.7 is my internal ip.
>
> 2 questions
>
> What other ports need to be open to enable whiteboard, or is it so
> dynamic they all need to be open?

Your rules seems to be all right in the sense that according to them,
H.323 and whiteboard can be requested from outside.

> How has my machine got hold of the internal ip address of the remote
> machine?

You has to connect to the NATed address and not to the real one.

Regards,
Jozsef
-
E-mail  : [EMAIL PROTECTED], [EMAIL PROTECTED]
WWW-Home: http://www.kfki.hu/~kadlec
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Reply via email to