Netmeeting or H.323 with NAT (SuSEfirewall2)
I have searched the past year of this list and am surprised that I don't find any messages on this subject. I know it came up a few years ago and finally someone in Italy had come up with a module that would let Netmeeting work through the SuSE firewall but that was for a 2.2 kernel and there hasn't been anything (that I know of) since then. I tried Netmeeting with SuSE 9.0 and SuSEfirewall2 and it is the same old story: connection is made but incomming audio/video is blocked. Is there a current solution for this problem? Damon Register
* Damon Register;
I tried Netmeeting with SuSE 9.0 and SuSEfirewall2 and it is the same old story: connection is made but incomming audio/video is blocked. Is there a current solution for this problem?
Determining what ports are blocked can help ( sorry I do not use Netmeeting) For Gnomemeeting the following should work FW_ALLOW_INCOMING_HIGHPORTS_TCP="1720" FW_ALLOW_INCOMING_HIGHPORTS_UDP="5000:5003" For MSN messanger For Voice communication enable UDP packets where either the source or the destination port is 6901. FW_ALLOW_INCOMING_HIGHPORTS_UDP="6901" For file transfers FW_ALLOW_INCOMING_HIGHPORTS_TCP="6891:6900" However your best bet could be using a proxy like http://www.cryogenic.net/nmproxy.html ps. please drop me a private mail which works along with the necessary setting in teh SuSEfirewall2 config file so I can update the firewall guide -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Togan Muftuoglu wrote:
Determining what ports are blocked can help ( sorry I do not use Netmeeting) I tried to do that but I didn't see anything blocked in the /var/log/messages file.
For Gnomemeeting the following should work FW_ALLOW_INCOMING_HIGHPORTS_TCP="1720" FW_ALLOW_INCOMING_HIGHPORTS_UDP="5000:5003" Tried, but that alone doesn't help.
However your best bet could be using a proxy like http://www.cryogenic.net/nmproxy.html I got it, built and installed it but am a little confused on the firewall config part. Can the SuSEfirewall2 file be edited to accomplish this or would I have to tamper with the actual IPtables configuration? If I have to tamper with the iptables config, where is that? I only know how to configure through SuSEfirewall2 file.
ps. please drop me a private mail which works along with the necessary setting in teh SuSEfirewall2 config file so I can update the firewall OK. I haven't gotten that far yet but I am trying.
Damon REgister
* Damon Register;
http://www.cryogenic.net/nmproxy.html I got it, built and installed it but am a little confused on the firewall config part. Can the SuSEfirewall2 file be edited to accomplish this or would I have to tamper with the actual IPtables configuration? If I have to tamper with the iptables config, where is that? I only know how to configure through SuSEfirewall2 file.
You should be able to use it via SuSEfirewall2 [1] iptables -I PREROUTING -t nat -p tcp --dport 1720 -j REDIRECT [2] iptables -I INPUT -p tcp --dport 10200:10209 -j ACCEPT [3] iptables -I INPUT -p udp --dport 10200:10259 -j ACCEPT Will translate into [1] FW_REDIRECT=192.168.0.0/24,0/0.1720.1720 [2] FW_ALLLOW_INCOMING_HIGHPORTS_TCP="10200:10209" [3] FW_ALLOW_INCOMING_HIGHPORTS_UDP="10200:10259" -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Togan Muftuoglu wrote:
You should be able to use it via SuSEfirewall2 cool
[1] iptables -I PREROUTING -t nat -p tcp --dport 1720 -j REDIRECT [2] iptables -I INPUT -p tcp --dport 10200:10209 -j ACCEPT [3] iptables -I INPUT -p udp --dport 10200:10259 -j ACCEPT
Will translate into [1] FW_REDIRECT=192.168.0.0/24,0/0.1720.1720 I am assuming that you were just doing this from memory and slightly missed the syntax. according to the SuSEfirewall2 comments for this it should be source,dest,protocol,sourceport,destport so I wrote FW_REDIRECT="192.168.0.0/24,0/0,tcp,1720,1720"
are you sure it is this and not FW_REDIRECT="0/0,192.168.0.0/24,tcp,1720,1720" I got that far but it still doesn't work. I did the tests in the nmproxy help section "The proxy does not seem to work properly, or at all" and telnet localhost 1720 works but telnet firewall 1720 didn't work at first. I added 1720 to FW_ALLOW_INCOMING_HIGHPORTS_TCP and then it worked. Telnet some external address 1720 gets "connection refused". The help says If you get a "Connection refused" error, or it just times out, then the REDIRECT rule for port 1720 is either wrong, or is being interfered with by some other rule that precedes it. I tried both FW_REDIRECT="192.168.0.0/24,0/0,tcp,1720,1720" and FW_REDIRECT="0/0,192.168.0.0/24,tcp,1720,1720" but neither worked. Any suggestions? Damon Register
* Damon Register;
Togan Muftuoglu wrote: I am assuming that you were just doing this from memory and slightly missed the syntax. according to the SuSEfirewall2 comments for this it
:-(
should be source,dest,protocol,sourceport,destport so I wrote FW_REDIRECT="192.168.0.0/24,0/0,tcp,1720,1720"
are you sure it is this and not
FW_REDIRECT="0/0,192.168.0.0/24,tcp,1720,1720"
yes as the first one reads packets coming from a sourice of 192.168.0.0/24 destination to 0/0 with protocol TCP original port is 1720 redirected to 1720
If you get a "Connection refused" error, or it just times out, then the REDIRECT rule for port 1720 is either wrong, or is being interfered with by some other rule that precedes it.
I tried both FW_REDIRECT="192.168.0.0/24,0/0,tcp,1720,1720" and FW_REDIRECT="0/0,192.168.0.0/24,tcp,1720,1720"
Ok I 'll install and see the problem so you need to wait a little bit drop me a private mail so we can test it amaong eachother -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
* Damon Register;
but neither worked. Any suggestions?
Ok try with the following settings (make sure you adjust your local lan settings FW_SERVICES_EXT_TCP="1720" FW_SERVICES_INT_TCP=" 1720 10200:10209" FW_SERVICES_INT_UDP="10200:10259" FW_ALLOW_INCOMING_HIGHPORTS_TCP="10200:10209" FW_ALLOW_INCOMING_HIGHPORTS_UDP="10200:10259" FW_REDIRECT=" 192.168.1.0/29,!192.168.1.0/29,tcp,1720,1720" I can connect the proxy vialocalhost and via machine in the LAN however I can not test it any further as I need a netmeeting partner ( Ihave the vmware running netmeeting) So I cannot tune any futher -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Togan Muftuoglu wrote:
Ok try with the following settings (make sure you adjust your local lan settings
FW_SERVICES_EXT_TCP="1720" FW_SERVICES_INT_TCP=" 1720 10200:10209" FW_SERVICES_INT_UDP="10200:10259" It didn't work but I got it to work with
FW_ALLOW_INCOMING_HIGHPORTS_TCP="10200:10209" FW_ALLOW_INCOMING_HIGHPORTS_UDP="10200:10259" I don't understand what this does. I found that it works with or without
FW_SERVICES_EXT_TCP="1720 10200:10209" FW_SERVICES_EXT_UDP="10200:10259" FW_SERVICES_INT_TCP="1720 10200:10209" FW_SERVICES_INT_UDP="10200:10259" this. It seems to not do anything
FW_REDIRECT=" 192.168.1.0/29,!192.168.1.0/29,tcp,1720,1720" That didn't work but this did, at least for me FW_REDIRECT="192.168.0.0/24,!192.168.0.0/24,tcp,1720,1720"
Finally it is working with the above tampering. It even works on incoming calls. Thanks a bunch for your help. Damon Register
* Damon Register;
Finally it is working with the above tampering. It even works on incoming calls. Thanks a bunch for your help.
Glad to hear that it worked. Just to make it complete can you post the relevant changes you have made to the nmproxy.conf -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Togan Muftuoglu wrote:
Glad to hear that it worked. I too
Just to make it complete can you post the relevant changes you have made to the nmproxy.conf I only changed these two items
# The user to run as. The proxy switches to this user before it accepts # any connections, as a security measure. # user=guest # Default forwarding. The example here forward all connection # attempts from external address to 4.5.6.7. Note that if the # configuration also contains forward lines, then those are # considered first. # default_forward=192.168.0.195 Damon Register
* Damon Register;
# The user to run as. The proxy switches to this user before it accepts # any connections, as a security measure. # user=guest
toganm@earth:~/hangar> grep guest /etc/passwd toganm@earth:~/hangar> So have you created the user ? Also the install script mentions of createing the /va/nmproxy/dev directory however it does not create the dev directory -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
Togan Muftuoglu wrote:
toganm@earth:~/hangar> grep guest /etc/passwd toganm@earth:~/hangar> I don't understand these two lines
So have you created the user ? Yes, that was just an existing user on my system
Also the install script mentions of createing the /va/nmproxy/dev directory however it does not create the dev directory I remember seeing an error message during the install but I didn't copy it and I couldn't be sure if it was related to that or not.
Damon Register
* Damon Register;
Togan Muftuoglu wrote:
toganm@earth:~/hangar> grep guest /etc/passwd toganm@earth:~/hangar> I don't understand these two lines
I was just checking ig "guest" user was created by default
So have you created the user ? Yes, that was just an existing user on my system
OK
Also the install script mentions of createing the /va/nmproxy/dev directory however it does not create the dev directory I remember seeing an error message during the install but I didn't copy it and I couldn't be sure if it was related to that or not.
Thanks for all the information now I can add this to the SuSEFW2 manual -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
participants (2)
-
Damon Register
-
Togan Muftuoglu