Shorewall users - Dec 2007 - direct connect 2 remote H323 clients via WAN

According to FAQ #3 I tried to modrpobe the
H.323 connection tracking/NAT modules in kernel
2.6.20.
I can make a direct connection from H323 netmeeting
client at 87.219.113.116 (remote laptop with local ip
192.168.1.129) to another client at 85.48.224.145 (in
loc zone the client has IP address 10.215.144.98 and
is in the office LAN with a shorewall gateway).
However, I can''t stream video.
I noticed on the shorewall gateway that the h323
client in the loc zone is trying to send UDP packets
to the remote laptop but is using its local RFC1918 IP
address, not the public IP.

(...)
18:10:58.971782 IP 10.215.144.98.2334 >
192.168.1.129.49608: UDP, length 332
18:10:58.994780 IP 10.215.144.98.2336 >
192.168.1.129.49606: UDP, length 1401
18:10:59.003478 IP 10.215.144.98.2336 >
192.168.1.129.49606: UDP, length 235
18:10:59.011781 IP 10.215.144.98.2334 >
192.168.1.129.49608: UDP, length 332
18:10:59.034161 IP 10.215.144.98.2336 >
192.168.1.129.49606: UDP, length 1368
18:10:59.043573 IP 10.215.144.98.2336 >
192.168.1.129.49606: UDP, length 209
18:10:59.051800 IP 10.215.144.98.2334 >
192.168.1.129.49608: UDP, length 332

# lsmod | grep -i h323
nf_nat_h323             4962  0
nf_conntrack_h323      35016  1 nf_nat_h323
nf_nat                  9868  14
ipt_SAME,ipt_REDIRECT,ipt_NETMAP,ipt_MASQUERADE,nf_nat_tftp,nf_nat_sip,nf_nat_pptp,nf_nat_proto_gre,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_netlink,iptable_nat
nf_conntrack           30456  29
ipt_MASQUERADE,ipt_CLUSTERIP,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_pptp,nf_nat_irc,nf_nat_h323,nf_nat_ftp,nf_nat_amanda,nf_conntrack_amanda,nf_conntrack_tftp,nf_conntrack_sip,nf_conntrack_proto_sctp,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_netlink,nf_conntrack_netbios_ns,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ftp,xt_helper,xt_conntrack,xt_CONNMARK,xt_connmark,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
ipv6                  173176  17 nf_conntrack_h323

I also placed a shorewall dump at
http://85.48.227.158/shorewall/shorewall_dump.bz2

I would like to avoid using a gatekeeper like gnugk
because it seems that netmeeting in Win XP does not
register with a gatekeeper (it works fine with Win 2K
though).

Help appreciated,

Vieri



     
____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4

On Mon, 2007-12-03 at 10:12 -0800, Vieri Di Paola wrote:
> I noticed on the shorewall gateway that the h323
> client in the loc zone is trying to send UDP packets
> to the remote laptop but is using its local RFC1918 IP
> address, not the public IP.
> 
> (...)
> 18:10:58.971782 IP 10.215.144.98.2334 >
> 192.168.1.129.49608: UDP, length 332
> 18:10:58.994780 IP 10.215.144.98.2336 >
> 192.168.1.129.49606: UDP, length 1401
> 18:10:59.003478 IP 10.215.144.98.2336 >
> 192.168.1.129.49606: UDP, length 235
> 18:10:59.011781 IP 10.215.144.98.2334 >
> 192.168.1.129.49608: UDP, length 332
> 18:10:59.034161 IP 10.215.144.98.2336 >
> 192.168.1.129.49606: UDP, length 1368
> 18:10:59.043573 IP 10.215.144.98.2336 >
> 192.168.1.129.49606: UDP, length 209
> 18:10:59.051800 IP 10.215.144.98.2334 >
> 192.168.1.129.49608: UDP, length 332
> 
Which interface did you see that on?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4

--- Tom Eastep <teastep@shorewall.net> wrote:
> 
> On Mon, 2007-12-03 at 10:12 -0800, Vieri Di Paola
> wrote:
> 
> > I noticed on the shorewall gateway that the h323
> > client in the loc zone is trying to send UDP
> packets
> > to the remote laptop but is using its local
> RFC1918 IP
> > address, not the public IP.
> > 
> > (...)
> > 18:10:58.971782 IP 10.215.144.98.2334 >
> > 192.168.1.129.49608: UDP, length 332
> > 18:10:58.994780 IP 10.215.144.98.2336 >
> > 192.168.1.129.49606: UDP, length 1401
> > 18:10:59.003478 IP 10.215.144.98.2336 >
> > 192.168.1.129.49606: UDP, length 235
> > 18:10:59.011781 IP 10.215.144.98.2334 >
> > 192.168.1.129.49608: UDP, length 332
> > 18:10:59.034161 IP 10.215.144.98.2336 >
> > 192.168.1.129.49606: UDP, length 1368
> > 18:10:59.043573 IP 10.215.144.98.2336 >
> > 192.168.1.129.49606: UDP, length 209
> > 18:10:59.051800 IP 10.215.144.98.2334 >
> > 192.168.1.129.49608: UDP, length 332
> > 
> 
> Which interface did you see that on?
eth0 (loc zone).
I should have been listening on eth7 I suppose (net4).
Will try to redo the test.



     
____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4