# IPTables NAT Vs. NetMeeting

## Merlin-TC

Hi,

I have a gentoo box acting as a gateway with iptables.

I am also using the IPKungFu script to configure it.

But as far as I know NetMeeting wants a whole bunch of ports open and I honestly don't want to open all these.

I found a module that adds support for the h323 protocoll but it's for an old kernel version and I am using 2.6.

I also read that maybe using a gatekeeper (gnugk) could help me.

When I call people with net meeting they can hear and see me but I cannot hear or see them so I guess some UDP packets are blocked.

I am just a little confused and it would be really nice if someone could help me who has a similar configuration and actually got it ti work.

Thanks in advance.

----------

## krusty_ar

Why don't you want to open the ports? if the app needs them to work, then you need to open them or the app won't work, simple  :Smile: 

What ports do you need to open? if you don't have any other services running in that ports there should be no problem opening them.

----------

## Merlin-TC

If it would just be some ports but the problem is that the h323 protocoll assigns these ports randomly between 1024 and 65535 I think.

This is on the Net Meeting Firewall help site:

* Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731.

* Pass through secondary TCP and UDP connections on dynamically assigned ports (1024-65535).

And opening everything can't be the only solution?

----------

## krusty_ar

I don't know what they mean by primary and secondary TCP connections, but it probably means that you only need to open the primary ports and enable related traffic on the rest (this is done usually as several protocols use a second port assigned dynamically)

----------

## Merlin-TC

Thanks for your answer but I opened the so called primary ports already without success.

Sorry for the late reply and happy new year  :Smile: 

----------

## Merlin-TC

Ok, I figured it out now.

You have to install an aditional module by patching your kernel.

The easiest way to do this is the use patch-o-matic (pom) from netfilter.org.

Then you follow the instructions to patch your kernel and then recompile it as usual.

Don't forget to modprobe the new modules afterwards.

Right now it doesn't work with the 2.6 kernel yet but they said a patch will be released shortly.

Hope I could help someone who is trying the same  :Smile: 

PS: If you just want to do outgoing calls you don't have to open any ports at all.

----------

## Chakal

u should try this line, it allows established connections to get through the firewall to your workstation without actually opening the ports

iptables -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

----------

## Merlin-TC

Thanks, this could be handy.

Though I think net meeting still wouldn't work then because it negotiates the ports with every call and they are always different.

The module for the h323 protocoll which net meeting uses is better I think.

It's just made for this purpose.

----------

## Chakal

you should still try it, it allows any connection to go through the firewall to the workstation as long as its already established or requested by the workstation

----------

## Merlin-TC

But does this work for UDP ports as well?

As far as I know these ports are negotiated within the h323 protocoll so how can an "outside" program know it is actually requested?

----------

## LGW

simple answer: don't use netmeeting, use openphone for windows and gnomemeeting for linux.

Both have *configureable* port ranges, so you only have to allow and forward *insertyourchoiceofudpportshere* ports instead of *ALL* of them.

Silly implementation. But what to expect, it's M$...  :Wink: 

openphone and gnomemeeting work together very well. The gnomemeeting homepage has some iptables script examples, too.

right now I'm trying to set up the gnugk, but without much luck  :Sad: 

----------

## Merlin-TC

I did not know about open phone, I will check it out. I would have loved to use gnomemeeting on both sides but my gf was not too keen on switching to linux only that this works.

So I setup a gatekeeper like you.

I have it running fine so if you need any help just let me know and I will try to be of assistance.

Also thanks for the tip about openphone, I will check it out for sure.

Thanks  :Smile: 

----------

## trumee

Can you please post on how you setup your gatekeeper. I am facing exactly the same problem, only that i am using shorewall to define my rules. and netmeeting simply refuses to work.

Thanks

----------

## Merlin-TC

This is my config:

```

[Gatekeeper::Main]

Fourtytwo=42

[RoutedMode]

GKRouted=1

AcceptUnregisteredCalls=1

SupportNATedEndpoints=1

H245PortRange=30000-30010

Q931PortRange=30011-30020

[RasSvr::ARQFeatures]

CallUnregisteredEndpoints=1

[Proxy]

Enable=1

RTPPortRange=5000-5010

[GkStatus::Auth]

rule=allow

[Gatekeeper::Auth]

default=allow

```

But make sure that EVERYONE you want to call is registered to the gatekeeper.

You can enter this in the gatekeeper settigns in net meeting.

If the other person you want to call registers as user "Frank" then all you have to do is to enter Frank in your net meeting after you are both signed in.

Also make sure that you forward the ports defined in the gnugk config file.

Hope I could help  :Smile: 

----------

## trumee

Thanks for your help, but i am a bit lost here. I have just one machine which has shorewall firewall running and on this machine itself i want to use gnomemeeting.

Do i still need to forward ports? Here are firewall rules:

```

/etc/shorewall/rules

                  Source Port

ACCEPT          net      fw     tcp    1720

ACCEPT          net      fw     tcp    1731

ACCEPT            net      fw     tcp    30000:30010

ACCEPT            net      fw     udp    5000:5007

ACCEPT            net      fw     udp    5010:5013

```

Are the above rules allright? Do i need to change something in gnomemeeting too?

Thanks

----------

## Merlin-TC

I never used shorewall and so I don't know the difference for forwarding ports to another machine or opening them on the machine shorewall is running on.

Maybe you can check the manpages.

In Gnomemeeting you just have to enter the IP of the gatekeeper (I think you can enter 127.0.0.1 because the gatekeeper is running on the same machine. And also don't forget to set an alias.

That should be all.

----------

## Kaboosh

 *Merlin-TC wrote:*   

> If it would just be some ports but the problem is that the h323 protocoll assigns these ports randomly between 1024 and 65535 I think.
> 
> This is on the Net Meeting Firewall help site:
> 
> * Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731.
> ...

 

Well if it was up to MS and their excellent track record on security, I guess they'd ask us to toss out our firewalls, get WinXP or some other garbage "OS", and connect directly to the internet   :Rolling Eyes: 

The gnomemeeting help files (Help -> Contents) state that the ports used can be viewed/modified using gconf-editor and looking in apps -> gnomemeeting -> protocols -> h323 -> ports.  The default values are 1072 and 30000 to 30010 using TCP along with 5000 to 5007 and 5010 to 5013 using UDP.    :Exclamation: 

----------

