Re: [suse-security] SuSEfirewall 2.1 and NetMeeting 3.01
Hi Torsten, tnx for the reply but I'm still having no success :( ns1:/ # /usr/sbin/ipmasqadm portfw -l prot localaddr rediraddr lport rport pcnt pref TCP ns1.storm.ie viking2.storm.ie ldap ldap 7 10 TCP ns1.storm.ie viking2.storm.ie ulp ulp 7 10 TCP ns1.storm.ie viking2.storm.ie msiccp msiccp 10 10 TCP ns1.storm.ie viking2.storm.ie imtc-mcs imtc-mcs 7 10 TCP ns1.storm.ie viking2.storm.ie h323hostcall h323hostcall 10 10 I have tried connecting to ns1.storm.ie from outside using NetMeeting 3.01 but it immediately returns 'The other party did not accept your call'. I have also tried this with SuSEfirewall down - made no difference. Any ideas what I might be doing wrong? MR Torsten Mueller To: michael.ryan@storm.ie <torsten@arch cc: suse-security@suse.com esoft.de> Subject: Re: [suse-security] SuSEfirewall 2.1 and NetMeeting 3.01 06/29/2001 10:53 PM Hey Michael, i use a isdn dialup line to connect to the internet. I changed the /etc/ip-up script and added the portforwarding for netmeeting (and icq). This is the netmeeting part: #netmeeting anrufe von draussen /usr/sbin/ipmasqadm portfw -f /usr/sbin/ipmasqadm portfw -a -P tcp -L $LOCALIP 1720 -R 192.168.100.5 1720 /usr/sbin/ipmasqadm portfw -a -P tcp -L $LOCALIP -R 192.168.100.5 1503 echo "setze portforwarding fuer netmeeting eingehende anrufe" The problem with this config is, that you can only use 1 host in the intranet to receive the netmeeting calls from outside the lan. Another solution would be to use a gatekeeper, but i havn't tested this. Hope this helps. Greetings Torsten michael.ryan@storm.ie schrieb:
Ok, I have added the ip_masq_h323.o module and re-started masquerading to load the module. SuSEfirewall is still in place as before. I can now use NetMeeting 3.01
on
a PC to connect to a hosted meeting outside the firewall.
My question now is how do I allow external NetMeeting clients connect to a NetMeeting host on our internal/private network. Any help much appreciated :)
MR
Hey,
i use a setup with a netmeeting kernel module and portforwarding.
Look at the masquearding howto, there's the lnk to the module.
Greetings Torsten
michael.ryan@storm.ie schrieb:
Trying to allow external sources connect to a machine on our private network which is acting as a NetMeeting host. Gateway is a SuSE 6.4 box, ip masquerading up and running SuSE firewall
2.1
Anyone done this before? any advice on how this can be done securely?
tnx in advance,
MR
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hey, for the records i also put my output to yours: between, i must say, i don't use SuSEfirewall ;-) gate:~ # ipmasqadm portfw -l -n prot localaddr rediraddr lport rport pcnt pref TCP 62.226.69.251 192.168.100.5 443 443 10 10 TCP 62.226.69.251 192.168.100.5 2020 2020 10 10 TCP 62.226.69.251 192.168.100.5 2019 2019 10 10 TCP 62.226.69.251 192.168.100.5 2018 2018 10 10 TCP 62.226.69.251 192.168.100.5 2017 2017 10 10 TCP 62.226.69.251 192.168.100.5 2016 2016 10 10 TCP 62.226.69.251 192.168.100.5 2015 2015 10 10 TCP 62.226.69.251 192.168.100.5 2014 2014 10 10 TCP 62.226.69.251 192.168.100.5 2013 2013 10 10 TCP 62.226.69.251 192.168.100.5 2012 2012 10 10 TCP 62.226.69.251 192.168.100.5 2011 2011 10 10 TCP 62.226.69.251 192.168.100.5 2010 2010 10 10 TCP 62.226.69.251 192.168.100.5 2009 2009 10 10 TCP 62.226.69.251 192.168.100.5 2008 2008 10 10 TCP 62.226.69.251 192.168.100.5 2007 2007 10 10 TCP 62.226.69.251 192.168.100.5 2006 2006 10 10 TCP 62.226.69.251 192.168.100.5 2005 2005 10 10 TCP 62.226.69.251 192.168.100.5 2004 2004 10 10 TCP 62.226.69.251 192.168.100.5 2003 2003 10 10 TCP 62.226.69.251 192.168.100.5 2002 2002 10 10 TCP 62.226.69.251 192.168.100.5 2001 2001 10 10 TCP 62.226.69.251 192.168.100.5 2000 2000 10 10 TCP 62.226.69.251 192.168.100.5 1720 1720 10 10 TCP 62.226.69.251 192.168.100.5 80 80 10 10 TCP 62.226.69.251 192.168.100.5 10000 10000 10 10 port 10000 for webmin, 443 ssl, 80 http, 2000- 2020 icq, 1720 netmeeting gate:~ # lsmod Module Size Used by ip_masq_icq 13752 0 (unused) ip_masq_portfw 2560 25 (autoclean) ip_masq_h323 7096 0 ip_masq_vdolive 1432 0 (unused) ip_masq_cuseeme 1144 0 (unused) ip_masq_irc 2040 0 ip_masq_raudio 3032 0 (unused) ip_masq_ftp 2552 0 eepro100 16508 1 (autoclean) hisax 136872 7 isdn 109380 8 [hisax] serial 19924 0 (autoclean) gate:~ # ipchains -L Chain input (policy ACCEPT): Chain forward (policy DENY): target prot opt source destination ports MASQ all ------ 192.168.100.0/24 anywhere n/a Chain output (policy ACCEPT): cat /proc/net/ip_masq/app prot port n_attach name UDP 4000 0 icq UDP 7648 0 cuseeme TCP 21 0 ftp TCP 7070 0 RealAudio TCP 554 0 RealAudio TCP 6667 0 irc TCP 1720 0 h225 TCP 7000 0 VDOlive TCP 1801 0 h245 not a really complex ipchains setup, but the gate pc is only my dialinmachine. 192.168.100.5 is another linux server, which holds the main services and makes again portforwarding and masquerading. michael.ryan@storm.ie schrieb:
Hi Torsten,
tnx for the reply but I'm still having no success :(
ns1:/ # /usr/sbin/ipmasqadm portfw -l prot localaddr rediraddr lport rport pcnt pref TCP ns1.storm.ie viking2.storm.ie ldap ldap 7 10 TCP ns1.storm.ie viking2.storm.ie ulp ulp 7 10 TCP ns1.storm.ie viking2.storm.ie msiccp msiccp 10 10 TCP ns1.storm.ie viking2.storm.ie imtc-mcs imtc-mcs 7 10 TCP ns1.storm.ie viking2.storm.ie h323hostcall h323hostcall 10 10
I have tried connecting to ns1.storm.ie from outside using NetMeeting 3.01 but it immediately returns 'The other party did not accept your call'. I have also tried this with SuSEfirewall down - made no difference.
Any ideas what I might be doing wrong?
maybe you forgot to load the netmeetig module ? what says tcpdump , if you make the call ? do you get messages from the kernel ? Greetings Torsten
* Torsten Mueller wrote on Mon, Jul 02, 2001 at 16:18 +0200:
TCP 62.226.69.251 192.168.100.5 1720 1720 10 10
port [...] 1720 netmeeting
netmeeting uses just a single, constant port? Isn't that audio thing done via some extra connection or similar? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hey, i think (but i don't know it really), that only one port is open for "first contact". The other ports are handled by the netmeeting module after the initial contact on port 1720. I only can say, that it works for me. If you want to test it, icq me at 121839936 But only my 2 cents. Greetings Torsten Steffen Dettmer schrieb:
* Torsten Mueller wrote on Mon, Jul 02, 2001 at 16:18 +0200:
TCP 62.226.69.251 192.168.100.5 1720 1720 10 10
port [...] 1720 netmeeting
netmeeting uses just a single, constant port? Isn't that audio thing done via some extra connection or similar?
oki,
Steffen
participants (3)
-
michael.ryan@storm.ie -
Steffen Dettmer -
Torsten Mueller