Actually the problem is a bit more random, sometimes there is no audio from the remote end, sometimes no audio getting through from my end. Also the whiteboard, and other features do work about 50% of the time. On Mon, 2002-05-27 at 08:44, Jozsef Kadlecsik wrote: > On 25 May 2002, Scott Waye wrote: > > > This is my first post to this group so please bear with me. > > I have installed a 2.4.18 kernel with the latest (as of 24/5/02) > > iptables (1.2.7). NetMeeting from an internal W2K NATed machine to > > another internal NATed machine across the internet appears to work ok > > (audio and video). Both networks are running Linux 2.4.18 as the > > firewall. > > The data conferencing (application sharing, whiteboard, etc) in netmeeting > requires T.120 (TCP port 1503). > > > But the whiteboard and other features only work if we open all ports on > > at least one machine. I also note that ethereal shows this: > > > > > > No Time Source Destination Protocol Info > > 29 7.4564 choco 192.168.0.2 TCP 2313->1503 [SYN] .... > > > > Where choco is my machine, and 192.168.0.2 is the other machines > > internal ip address. This SYN packet will presumably never arrive, > > indeed there is no ACK packet following. > > This is strange for me: do you SNAT 192.168.2.7 to 192.168.0.2? My firewall has no SNAT rules, just the MASQUERADE on the external i/f. However the other firewall does not have a MASQUERADE rule, but has a SNAT rule to SNAT any internal ip address (including 192.168.0.2) to the external i/f. Do both machines have to use the MASQUERADE rule to make use of the H323 modules?
> > > My relevant rules are: > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED, > > RELATED -j ACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1720 -j ACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 1503 -j ACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 389 -j ACCEPT > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 522 -j ACCEPT > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > > > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 1720 -j DNAT > > --to 192.168.2.7 > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 1503 -j DNAT > > --to 192.168.2.7 > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 389 -j DNAT --to > > 192.168.2.7 > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 522 -j DNAT --to > > 192.168.2.7 > > > > where 192.168.2.7 is my internal ip. > > > > 2 questions > > > > What other ports need to be open to enable whiteboard, or is it so > > dynamic they all need to be open? > > Your rules seems to be all right in the sense that according to them, > H.323 and whiteboard can be requested from outside. > > > How has my machine got hold of the internal ip address of the remote > > machine? > > You has to connect to the NATed address and not to the real one. I connect to the other machines external i/f address on the firewall. > > Regards, > Jozsef > - > E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] > WWW-Home: http://www.kfki.hu/~kadlec > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > >
