Shorewall users - Sep 2004 - Solution: H323, Gnomemeeting, Netmeeting

Hi all,
I have seen many posts on the Shorewalllists dealing with H323. Although  
lots of them indicated that this is difficult process with  
kernelrecompilation etc. I just tried what seemed to be logical for me.  
Surprisingly it worked.

Configuration:

WS1 ----- FW ------ Internet ------- WS2/Shorewall

WS1, FW and WS2 run Redhat9 with its standardkernel 2.4.20. FW and WS2 run  
Shorewall and here are the rules:


rules on FW:
-------------------------------------------------------------
# H323

DNAT    net     loc:192.168.3.11        tcp     1720
DNAT    net     loc:192.168.3.11        tcp     30000:30010
-------------------------------------------------------------

rules on WS2
-------------------------------------------------------------
# H323
ACCEPT          net              fw      tcp     1720
ACCEPT          net              fw      tcp     30000:30010
-------------------------------------------------------------

WS1 and WS2 both run Gnomemeeting and we can talk with each other fine.  
There is no patch and no gatekeeper involved.

Hope this is usefull for someone else and pls. let me know, if you have  
any concerns regarding security.

Regards, Ingo.

Ingo Lantschner wrote:
> Hi all,
> I have seen many posts on the Shorewalllists dealing with H323.
> Although lots of them indicated that this is difficult process with
> kernelrecompilation etc. I just tried what seemed to be logical for
> me. Surprisingly it worked.
>
> Configuration:
>
> WS1 ----- FW ------ Internet ------- WS2/Shorewall
>
> WS1, FW and WS2 run Redhat9 with its standardkernel 2.4.20. FW and
> WS2 run Shorewall and here are the rules:
>
>
> rules on FW:
> -------------------------------------------------------------
> # H323
>
> DNAT    net     loc:192.168.3.11        tcp     1720
> DNAT    net     loc:192.168.3.11        tcp     30000:30010
> -------------------------------------------------------------
>
> rules on WS2
> -------------------------------------------------------------
> # H323
> ACCEPT          net              fw      tcp     1720
> ACCEPT          net              fw      tcp     30000:30010
> -------------------------------------------------------------
>
> WS1 and WS2 both run Gnomemeeting and we can talk with each other
> fine. There is no patch and no gatekeeper involved.
>
> Hope this is usefull for someone else and pls. let me know, if you
> have any concerns regarding security.
Thanks for the howto. Please clarify the following:
Is the WS1 machine being Natted by a firewall or does WS1 have the public ip 
statically assigned to it?
Can WS2 initiate the GnomeMeeting session and still get Auido and Video to 
work?

I''ve never tried GnomeMeeting but I would like to give it a shot soon.
My
problem is everyone wants to use MS Netmeeting which is hell through a 
firewall and doesn''t like to be natted for reasons to long to explain.
I''ve
had to use Netmeeting servers statically natted or going through branch to 
branch vpn tunnels. And even then it seems to be a nightmare..

Thanks,
Joshua Banks

On Sun, 05 Sep 2004 20:13:04 +0200
"Ingo Lantschner" <ingo.lists@vum.at> wrote:
> 
> Hi all,
> I have seen many posts on the Shorewalllists dealing with H323.
> Although  lots of them indicated that this is difficult process with  
> kernelrecompilation etc. I just tried what seemed to be logical for
> me.  Surprisingly it worked.
If I understand it right, this setup works for sound, but what about
video ? IMHO this is the real issue with DNAT''ing.

Joel

On Sun, 5 Sep 2004 12:29:20 -0700, Joshua Banks <syn_ack@comcast.net>  
wrote:

> Thanks for the howto. Please clarify the following:
> Is the WS1 machine being Natted by a firewall or does WS1 have the  
> public ip statically assigned to it?
WS2 is NATed (in fact PAT) by the firewall.
> Can WS2 initiate the GnomeMeeting session and still get Auido and Video  
> to work?
WS2 can initiate the call and has Audio - Video not tested yet.


Regards, Ingo.

On Sun, 5 Sep 2004 21:45:24 +0200, Joel HATSCH <home@joel-hatsch.net>  
wrote:
> If I understand it right, this setup works for sound, but what about
> video ? IMHO this is the real issue with DNAT''ing.
Yes you are right, it works for sound. Video not tested yet - did not  
know, that this is the bigger problem ...
Regards, Ingo.

Ingo Lantschner wrote:
> On Sun, 5 Sep 2004 21:45:24 +0200, Joel HATSCH <home@joel-hatsch.net>
> wrote:
>
>> If I understand it right, this setup works for sound, but what about
>> video ? IMHO this is the real issue with DNAT''ing.
> Yes you are right, it works for sound. Video not tested yet - did not
> know, that this is the bigger problem ...
> Regards, Ingo.
Yes, I knew video was a problem but in your initial email you made it sound as 
though you got Gnome meeting to work. Gnome meeting isn''t working (IMO)
if you
can''t get video to work.  I can use Yahoo IM to tunnel voip if I want
audio
with allot less overhead. Gnome Meeting like Net Meeting is meant for web 
video. So announcing to a firewalling list that you got Gnome meeting to work 
was misleading IMO. Gnome Meeting isn''t working when you can only get
audio to
work in one direction..  or even both directions but no Video... Video is the 
main idea behind these programs..

Joshua Banks

On Sat, 11 Sep 2004 13:12:09 -0700, Joshua Banks <syn_ack@comcast.net>  
wrote:

> Yes, I knew video was a problem but in your initial email you made it  
> sound as though you got Gnome meeting to work. Gnome meeting isn''t
> working (IMO) if you can''t get video to work.  I can use Yahoo IM
to
> tunnel voip if I want audio with allot less overhead.
If you know a Yahoo IM that supports audio and works on Redhat 9 pls. let  
me know ...

Regards, Ingo.