Board index Linux Security

help with iptables and h323 (netmeeting)

help with iptables and h323 (netmeeting)

Post by none » Mon, 16 Dec 2002 04:41:53



I need help. I try to use netmmeeting but i can't recieve video and sound
but my video and sound is sended.

I have a linux gateway, 192.168.0.5
and a laptop with win2000 pro, 192.168.0.10

my firewall rules ares :

    echo "setting forwarding..." >/dev/tty10
    echo 1 >/proc/sys/net/ipv4/ip_forward
    echo 1 >/proc/sys/net/ipv4/ip_dynaddr

    #antispoof
     if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
            echo 1 > $f
        done
    fi

    if test "$netip" != "0.0.0.0"
    then
        if test "$NETCONFIG" != "YAST_ASK" -a "$START_NAT" = "yes"
        then
            #netmeeting
            h323_ports="389 522 1503 1720 1731 8080"

            for port in $h323_ports; do
                $root/iptables -t nat -A PREROUTING -i $neti -p tcp -d $
netip --dport $port -m state --state NEW,ESTABLISHED,RELATED -j DNAT --t
o-destination 192.168.0.10 &>/dev/null
                $root/iptables -t nat -A PREROUTING -i $neti -p udp -d
$netip --dport $port -m state --state NEW,ESTABLISHED,RELATED -
j DNAT --to-destination 192.168.0.10 &>/dev/null      

                $root/iptables -t nat -A PREROUTING -i $neti -p tcp -d $
netip --dport $port -m state --state NEW,ESTABLISHED,RELATED -j DNAT --t
o-destination $localip &>/dev/null
                $root/iptables -t nat -A PREROUTING -i $neti -p udp -d
$netip --dport $port -m state --state NEW,ESTABLISHED,RELATED -
j DNAT --to-destination $localip &>/dev/null

                $root/iptables -t nat -A PREROUTING -i $neti -p tcp -d $
netip --dport $port -m state --state NEW,ESTABLISHED,RELATED -j DNAT --t
o-destination 192.168.0.1 &>/dev/null
                $root/iptables -t nat -A PREROUTING -i $neti -p udp -d $
netip --dport $port -m state --state NEW,ESTABLISHED,RELATED -j DNAT --t
o-destination 192.168.0.1 &>/dev/null

                $root/iptables -t nat -A PREROUTING -i $neti -p tcp -d $
netip --dport $port -j DNAT --to-destination 192.168.0.10 &>/dev/null
                $root/iptables -t nat -A PREROUTING -i $neti -p udp -d $
netip --dport $port -j DNAT --to-destination 192.168.0.10 &>/dev/null

                $root/iptables -t nat -A PREROUTING -i $neti -p tcp -d $
netip --dport $port -j DNAT --to-destination 192.168.0.1 &>/dev/null
                $root/iptables -t nat -A PREROUTING -i $neti -p udp -d $
netip --dport $port -j DNAT --to-destination 192.168.0.1 &>/dev/null

                $root/iptables -t nat -A PREROUTING -i $neti -p tcp -d $
netip --dport $port -j DNAT --to-destination $localip &>/dev/null
                $root/iptables -t nat -A PREROUTING -i $neti -p udp -d $
netip --dport $port -j DNAT --to-destination $localip &>/dev/null

            done        

            echo "setting masquerading..." >/dev/tty10
#       $root/iptables -N log-masq &>/dev/tty10
#       $root/iptables -A log-masq -j LOG --log-prefix "iptables rej
ect " &>/dev/tty10
#       $root/iptables -A log-masq -j MASQUERADE &>/dev/tty10

            #version 25022002
            $root/iptables -t nat -A POSTROUTING -s $localip/24 -o $n
eti -j MASQUERADE
            insmod ip_nat_ftp &>/dev/null
            insmod ip_nat_h323 &>/dev/null
            insmod ip_nat_irc &>/dev/null
        fi
    fi

    #log
    $root/iptables -N log-drop &>/dev/tty10
    $root/iptables -A log-drop -j LOG --log-prefix "iptables reject "
&>/dev/tty10
    $root/iptables -A log-drop -j REJECT &>/dev/tty10

    #polices par defaut
    $root/iptables -F INPUT
    $root/iptables -P INPUT DROP
    $root/iptables -F FORWARD
    $root/iptables -P FORWARD DROP
    $root/iptables -F OUTPUT
    $root/iptables -P OUTPUT DROP

    #flags tcp
#    $root/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
#    $root/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

    #zones reservees
    $root/iptables -A INPUT -i $neti -s 224.0.0.0/4 -j log-drop
    $root/iptables -A INPUT -i $neti -s 192.168.0.0/16 -j log-drop
    $root/iptables -A INPUT -i $neti -s 10.0.0.0/8 -j log-drop
    $root/iptables -A INPUT -i $neti -s 127.0.0.0/16 -j log-drop

    #services interieur->exterieur
    echo "interne : $locali, $localip" &>/dev/tty10
    $root/iptables -N local
    $root/iptables -F local

    $root/iptables -N ext
    $root/iptables -F ext

    $root/iptables -A INPUT -i $locali -s $localip/24 -d $netip -j ext
    $root/iptables -A INPUT -i $locali -s $localip/24 -d ! $netip -j local
    $root/iptables -A INPUT -i dummy0 -s $localip/24 -d $netip -j ext
    $root/iptables -A INPUT -i dummy0 -s $localip/24 -d ! $netip -j local
    $root/iptables -A INPUT -i lo -s $localip/24 -d $netip -j ext
    $root/iptables -A INPUT -i lo -s $localip/24 -d ! $netip -j local
    $root/iptables -A FORWARD -i $locali -s $localip/24 -d $netip -j ext
    $root/iptables -A FORWARD -i $locali -s $localip/24 -d ! $netip -j local
    $root/iptables -A FORWARD -i dummy0 -s $localip/24 -d $netip -j ext
    $root/iptables -A FORWARD -i dummy0 -s $localip/24 -d ! $netip -j local
    $root/iptables -A FORWARD -i lo -s $localip/24 -d $netip -j ext
    $root/iptables -A FORWARD -i lo -s $localip/24 -d ! $netip -j local

    $root/iptables -A INPUT -i lo -d $netip -j ext
    $root/iptables -A INPUT -i lo -d ! $netip -j local
    $root/iptables -A FORWARD -i lo -d $netip -j ext
    $root/iptables -A FORWARD -i lo -d ! $netip -j local
    $root/iptables -A FORWARD -o lo -d $netip -j ext
    $root/iptables -A FORWARD -o lo -d ! $netip -j local
    $root/iptables -A OUTPUT -o lo -d $netip -j ext
    $root/iptables -A OUTPUT -o lo -d ! $netip -j local
    $root/iptables -A OUTPUT -s $localip/24 -d $netip -j ext
    $root/iptables -A OUTPUT -s $localip/24 -d ! $netip -j local
    $root/iptables -A OUTPUT -s 127.0.0.1/24 -d $netip -j ext
    $root/iptables -A OUTPUT -s 127.0.0.1/24 -d ! $netip -j local

    if test "$netip" != "0.0.0.0"
    then
        $root/iptables -A OUTPUT -s $netip/24 -j local
        $root/iptables -A FORWARD -s $netip -j local
    fi

    #defaut
    $root/iptables -A local -p ! icmp -j ACCEPT
    #icmp
    $root/iptables -A local -m state --state INVALID -j ACCEPT
    $root/iptables -A local -m state --state NEW,RELATED,ESTABLISHED -j
ACCEPT
    $root/iptables -A local -p icmp --icmp-type destination-unreachable -j
ACCEPT
    $root/iptables -A local -p icmp --icmp-type source-quench -j ACCEPT
    $root/iptables -A local -p icmp --icmp-type time-exceeded -j ACCEPT
    #smtp
    $root/iptables -A local -p tcp --dport smtp -j ACCEPT
    $root/iptables -A local -p tcp --sport smtp -j ACCEPT
    #netmeeting
    $root/iptables -A local -p tcp --sport 389 -j ACCEPT
    $root/iptables -A local -p tcp --dport 389 -j ACCEPT
    $root/iptables -A local -p tcp --sport 522 -j ACCEPT
    $root/iptables -A local -p tcp --dport 522 -j ACCEPT
    $root/iptables -A local -p tcp --sport 1503 -j ACCEPT
    $root/iptables -A local -p tcp --dport 1503 -j ACCEPT
    $root/iptables -A local -p tcp --sport 1720 -j ACCEPT
    $root/iptables -A local -p tcp --dport 1720 -j ACCEPT
    $root/iptables -A local -p tcp --sport 1731 -j ACCEPT
    $root/iptables -A local -p tcp --dport 1731 -j ACCEPT
    #msn messenger
    $root/iptables -A local -p tcp --sport 1863 -j ACCEPT
    $root/iptables -A local -p tcp --dport 1863 -j ACCEPT
    #netmeeting
#    for port in $h323_ports; do
#        $root/iptables -t nat -A PREROUTING -i $locali -p tcp --dport $port
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination $localip
&>/dev/null
#        $root/iptables -t nat -A PREROUTING -i $locali -p udp --dport $port
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination $localip
&>/dev/null
#      
#        $root/iptables -t nat -A PREROUTING -i $locali -p tcp --dport $port
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination
192.168.0.10 &>/dev/null
#        $root/iptables -t nat -A PREROUTING -i $locali -p udp --dport $port
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination
192.168.0.10 &>/dev/null
#          
#        $root/iptables -t nat -A PREROUTING -i $locali -p tcp --dport $port
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination
192.168.0.1 &>/dev/null
#        $root/iptables -t nat -A PREROUTING -i $locali -p udp --dport $port
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination
192.168.0.1 &>/dev/null
#          
#        $root/iptables -t nat -A PREROUTING -i $locali -p tcp --dport $port
-j DNAT --to-destination 192.168.0.10 &>/dev/null
#        $root/iptables -t nat -A PREROUTING -i $locali -p udp --dport $port
-j DNAT --to-destination 192.168.0.10 &>/dev/null
#      
#       $root/iptables -t nat -A PREROUTING -i $locali -p tcp --dport $po
rt -j DNAT --to-destination 192.168.0.1 &>/dev/null
#        $root/iptables -t nat -A PREROUTING -i $locali -p udp --dport $port
-j DNAT --to-destination 192.168.0.1 &>/dev/null
#      
#       $root/iptables -t nat -A PREROUTING -i $locali -p tcp --dport $po
rt -j DNAT --to-destination $localip &>/dev/null
#        $root/iptables -t nat -A PREROUTING -i $locali -p udp --dport $port
-j DNAT --to-destination $localip &>/dev/null
#    done      
    #dns
#    $root/iptables -A local-ext -p udp --dport domain -j ACCEPT
#    $root/iptables -A local-ext -p tcp --dport domain -j ACCEPT
#    $root/iptables -A local-ext -p udp --sport domain -j ACCEPT
#    $root/iptables -A local-ext -p tcp --sport domain -j ACCEPT
    #http
#    $root/iptables -A local-ext -p tcp --dport www -j ACCEPT
    #https
#    $root/iptables -A local-ext -p tcp --dport https -j ACCEPT
    #ssh
#    $root/iptables -A local-ext -p tcp --dport ssh -j ACCEPT
    #telnet
#    $root/iptables -A local-ext -p tcp --dport telnet -j ACCEPT
    #pop3
#    $root/iptables -A local-ext -p tcp --dport pop3 -j ACCEPT
    #ftp
#    $root/iptables -A local-ext -p tcp --dport ftp -j ACCEPT
#    $root/iptables -A local-ext -p tcp --dport ftp-data -j ACCEPT

#    $root/iptables -A local-ext -p icmp -j icmp-acc
#    $root/iptables -A local-ext -j log-drop

    #services exterieur->interieur
    if test "$netip" != "0.0.0.0"
    then
        echo "internet : $neti, $netip" &>/dev/tty10

#    $root/iptables -A INPUT -i $neti -s ! $localip/24 -j ext
#    $root/iptables -A INPUT -i eth1 -s ! $localip/24 -j ext
#    $root/iptables -A FORWARD -i eth1 -s ! $localip/24 -j ext
#    $root/iptables -A FORWARD -i $neti -s ! $localip/24 -j ext

        $root/iptables -A INPUT -i $neti -j ext
        $root/iptables -A INPUT -i eth0 -j ACCEPT
        $root/iptables -A OUTPUT -o eth0 -j ACCEPT
        $root/iptables -A FORWARD -i eth0 -j ACCEPT
        $root/iptables -A FORWARD -i $neti -j ext
        $root/iptables -A INPUT -s ! $localip/24 -j ext
        $root/iptables -A OUTPUT -s ! $localip/24 -j ext
        $root/iptables -A FORWARD -s ! $localip/24 -j ext

        #netmeeting
        h323_ports="389 522 1503 1720 1731 8080"

        for port in $h323_ports; do
            $root/iptables -A ext -p udp --dport $port -j ACCEPT
            $root/iptables -A ext -p tcp --dport $port -j ACCEPT
            $root/iptables -A ext -p tcp --sport $port -j ACCEPT
            $root/iptables -A ext -p udp --sport $port -j ACCEPT
        done

        #smtp autorise
        $root/iptables -A ext -p tcp --dport smtp -j ACCEPT
        $root/iptables -A ext -p tcp --sport smtp -j ACCEPT
        #vnc autorise
        $root/iptables -A ext -p tcp --dport 5802 -j ACCEPT
        $root/iptables -A ext -p tcp --sport 5802 -j ACCEPT
        $root/iptables -A ext -p tcp --dport 5902 -j ACCEPT
        $root/iptables -A ext -p tcp --sport 5902 -j ACCEPT
        #dns
        $root/iptables -A ext -p udp --dport domain -j ACCEPT
        $root/iptables -A ext -p tcp --dport domain -j ACCEPT
        $root/iptables -A ext -p udp --sport domain -j ACCEPT
        $root/iptables -A ext -p tcp --sport domain -j ACCEPT
        #http
        $root/iptables -A ext -p tcp --dport www -j ACCEPT
        $root/iptables -A ext -p tcp --sport www -j ACCEPT
        #https
        $root/iptables -A ext -p tcp --dport https -j log-drop
        $root/iptables -A ext -p tcp --sport https -j ACCEPT
        #msn messenger
        $root/iptables -A ext -p tcp --sport 1863 -j ACCEPT
        $root/iptables -A ext -p tcp --dport 1863 -j ACCEPT
        #ssh
        $root/iptables -A ext -p tcp --dport ssh -j ACCEPT
        $root/iptables -A ext -p tcp --sport ssh -j ACCEPT
        #pop inerdit
        $root/iptables -A ext -p tcp --dport pop3 -d $netip/24 -j log-drop
        #pop3
        $root/iptables -A ext -p tcp --dport pop3 -j ACCEPT
        $root/iptables -A ext -p tcp --sport pop3 -j ACCEPT
        #ftp
        $root/iptables -A ext -p tcp --dport ftp -j ACCEPT
        $root/iptables -A ext -p tcp --dport ftp-data -j ACCEPT
        $root/iptables -A ext -p tcp --sport ftp -j ACCEPT
        $root/iptables -A ext -p tcp --sport ftp-data -j ACCEPT
        #icmp
#       $root/iptables -A ext -i $locali -p icmp -j ACCEPT
#       $root/iptables -A ext -o $locali -p icmp -j ACCEPT
#       $root/iptables -A ext -p icmp --icmp-type 3 -j ACCEPT
#       $root/iptables -A ext -p icmp --icmp-type 4 -j ACCEPT
#       $root/iptables -A ext -p icmp --icmp-type 5 -j ACCEPT
#       $root/iptables -A ext -p icmp --icmp-type 11 -j ACCEPT
#       $root/iptables -A ext -p icmp --icmp-type 12 -j ACCEPT
        $root/iptables -A ext -p icmp -j log-drop
        #pas de ping sur le local      
        $root/iptables -A ext -p icmp --icmp-type echo-reply -j log-drop
        $root/iptables -A ext -p icmp --icmp-type echo-request -j log-drop
        #connexions
        $root/iptables -A ext -f -p ! icmp -j ACCEPT
        $root/iptables -A ext -m state --state INVALID -j DROP
        $root/iptables -A ext -m state -p tcp --state RELATED,ESTABLISHED -j
ACCEPT
        $root/iptables -A ext -m state -p udp --state RELATED,ESTABLISHED -j
ACCEPT
        #flags tcp
        $root/iptables -A ext -p tcp --tcp-flags SYN, ACK -j ACCEPT
        $root/iptables -A ext -p tcp --tcp-flags ALL ALL -j log-drop
        $root/iptables -A ext -p tcp --tcp-flags ALL NONE -j log-drop
    fi    

#debug
    $root/iptables -N logndrop &>/dev/tty10
    $root/iptables -A logndrop -j LOG --log-prefix "iptables final reject "
&>/dev/tty10
    $root/iptables -A logndrop -j REJECT &>/dev/tty10

    $root/iptables -A INPUT -j logndrop
    $root/iptables -A OUTPUT -j logndrop
    $root/iptables -A FORWARD -j logndrop

 
 
 
Top

1. H323/Netmeeting through an iptables NAT/router

I am running kernel 2.4 and netfilter/iptables as an internet gateway for my
LAN, using NAT and filtering fucntions of iptables. I have trouble with
Netmeeting : I can set up connections with some remote computer, I can send
video but I cannot receive either sound or video.

I have configured the PREROUTING chain in iptables in order to forward the
H323 related ports on the firewall to my local computer, but it still does
not work. I have read as much as I could find on the subject over the net
but could not find anything helpful (lots of things about kernel
2.2/ipchains - obsolete with kernel 2.4, or iptables prerouting options
which appear not to work).

If anyone has an idea which could help things work better, please let me
know...
Thx

Ben

2. Fawn Lebowitz must be very scared

3. netmeeting h323 problem, no incomming connections, need HELP??

4. HELP: XFree2.0 requires ld.so

5. h323-conntrack-nat and NetMeeting - Question

6. advfs adding a new volume

7. H323, Netmeeting and your Linux gateway : an outsider is coming

8. SunOS named error

9. H323 (MS Netmeeting) NATD Support ?

10. h323+ netmeeting

11. Help on NetMeeting over iptable

12. iptables h323 pach

13. iptable, netfilter, NAT and H323 audio/video


All times are UTC
Board index