Hello, I have been using shorewall for a while, but today i got into some problems seting up this i hope any one can help. I have a Policom videoconference equipment it uses h323 for the communication, but since h323 has the whole range of ports to use from 1025 to 65535 im unable to open the ports in the firewall with the rules file. I have a DSL connection to the internet that gives me only one valid dynamic ip (ppp0=net), I wanted to pass all the unsolicited traffic from the internet to the host 10.32.5.121 (policom) so it can communicate freely. Ive read the faq and nat to nat but it didn''t give any clue because the dsl examples and net examples usuly give the more valid ip addresses. Thanks for your help Fernando Rodriguez V. frod@aitelecom.net AITelecom S.A. de C.V. http://www.aitelecom.net
On Wednesday 14 December 2005 14:42, Fernando Rodriguez wrote:> Hello, > > I have been using shorewall for a while, but today i got into some problems > seting up this i hope any one can help. > > I have a Policom videoconference equipment it uses h323 for the > communication, but since h323 has the whole range of ports to use from 1025 > to 65535 im unable to open the ports in the firewall with the rules file. > > I have a DSL connection to the internet that gives me only one valid > dynamic ip (ppp0=net), I wanted to pass all the unsolicited traffic from > the internet to the host 10.32.5.121 (policom) so it can communicate > freely. > > Ive read the faq and nat to nat but it didn''t give any clue because the dsl > examples and net examples usuly give the more valid ip addresses.The best way to support H323 on Linux is to install a gatekeeper. There is an H323 kernel module but if you have read the FAQ, you know that even the author of the code doesn''t recommend using it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Yes my fisrt attemp for a solution was that, the problem is that h323 dosnt assign a range of UDP ports to use instead it uses the first available form 1025 to 65535, thats why I want to do the nat -----Mensaje original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: Miércoles, 14 de Diciembre de 2005 04:52 p.m. Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] DSL NAT On Wednesday 14 December 2005 14:42, Fernando Rodriguez wrote:> Hello, > > I have been using shorewall for a while, but today i got into someproblems> seting up this i hope any one can help. > > I have a Policom videoconference equipment it uses h323 for the > communication, but since h323 has the whole range of ports to use from1025> to 65535 im unable to open the ports in the firewall with the rules file. > > I have a DSL connection to the internet that gives me only one valid > dynamic ip (ppp0=net), I wanted to pass all the unsolicited traffic from > the internet to the host 10.32.5.121 (policom) so it can communicate > freely. > > Ive read the faq and nat to nat but it didn''t give any clue because thedsl> examples and net examples usuly give the more valid ip addresses.The best way to support H323 on Linux is to install a gatekeeper. There is an H323 kernel module but if you have read the FAQ, you know that even the author of the code doesn''t recommend using it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
It would be like having a fully open equipment to the Internet since all non requested traffic will be sent to that ip inside a dmz zone .. -----Mensaje original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: Miércoles, 14 de Diciembre de 2005 04:52 p.m. Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] DSL NAT On Wednesday 14 December 2005 14:42, Fernando Rodriguez wrote:> Hello, > > I have been using shorewall for a while, but today i got into someproblems> seting up this i hope any one can help. > > I have a Policom videoconference equipment it uses h323 for the > communication, but since h323 has the whole range of ports to use from1025> to 65535 im unable to open the ports in the firewall with the rules file. > > I have a DSL connection to the internet that gives me only one valid > dynamic ip (ppp0=net), I wanted to pass all the unsolicited traffic from > the internet to the host 10.32.5.121 (policom) so it can communicate > freely. > > Ive read the faq and nat to nat but it didn''t give any clue because thedsl> examples and net examples usuly give the more valid ip addresses.The best way to support H323 on Linux is to install a gatekeeper. There is an H323 kernel module but if you have read the FAQ, you know that even the author of the code doesn''t recommend using it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click
On Wednesday 14 December 2005 15:04, Fernando Rodriguez wrote:> It would be like having a fully open equipment to the Internet since all > non requested traffic will be sent to that ip inside a dmz zone ..So do it -- make these the last entries in /etc/shorewall/rules: DNAT net dmz:10.32.5.121 udp DNAT net dmz:10.32.5.121 tcp -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 14 December 2005 15:09, Tom Eastep wrote:> On Wednesday 14 December 2005 15:04, Fernando Rodriguez wrote: > > It would be like having a fully open equipment to the Internet since all > > non requested traffic will be sent to that ip inside a dmz zone .. > > So do it -- make these the last entries in /etc/shorewall/rules: > > DNAT net dmz:10.32.5.121 udp > DNAT net dmz:10.32.5.121 tcp >One additional word of warning: with these rules, any net->fw ACCEPT rules in your configuration will stop working until you change them to ACCEPT+ rules. Example: Current rule: ACCEPT net fw tcp 22 Change to: ACCEPT+ net fw tcp 22 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I really know nothing about H.323, but I found the following on the Open H.323 FAQ: Quote NAT Firewalls The reason it is hard to get H.323 through simple NATs and firewalls is perfectly simple. Messages that are sent by each participant in the call to the other contain the sender''s transport addresses, for example as a location to which to send audio. A typical NAT or firewall will be oblivious to this. The endpoint on the internal/protected network will advertise a private address, therefore, and the device on the public network will attempt to send (typically IP) packets therefore to an address that does not have global significance! The best you can usually hope for is for the endpoint on the private network to be able to make calls to the endpoint on the public network, with media only in the direction from the private to the public network. Worse is, as you discovered, quite likely! End quote I guess that''s why Tom suggested using a gatekeeper, or possibly a kernel module. There seems to be a gatekeeper available at http://openh323proxy.sourceforge.net/home.php, but I haven''t tried it. Rune On 12/14/05, Tom Eastep <teastep@shorewall.net> wrote:> On Wednesday 14 December 2005 14:42, Fernando Rodriguez wrote: > > Hello, > > > > I have been using shorewall for a while, but today i got into some problems > > seting up this i hope any one can help. > > > > I have a Policom videoconference equipment it uses h323 for the > > communication, but since h323 has the whole range of ports to use from 1025 > > to 65535 im unable to open the ports in the firewall with the rules file. > > > > I have a DSL connection to the internet that gives me only one valid > > dynamic ip (ppp0=net), I wanted to pass all the unsolicited traffic from > > the internet to the host 10.32.5.121 (policom) so it can communicate > > freely. > > > > Ive read the faq and nat to nat but it didn''t give any clue because the dsl > > examples and net examples usuly give the more valid ip addresses. > > The best way to support H323 on Linux is to install a gatekeeper. There is an > H323 kernel module but if you have read the FAQ, you know that even the > author of the code doesn''t recommend using it. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click