[GnomeMeeting-list] Making GM work with a firewall / NAT gateway.

[Damien Sandras <dsandras seconix com>]

Le jeu 20/06/2002 à 18:03, Dale E Martin a écrit :
> Hello!  I'm trying to get gnome-meeting to work (audio only for the moment)
> on my Debian machine - I've installed the unstable package - version
> 0.85.1.
> 
> My machine is behind a firewall so I've setup port forwarding on the
> firewall to send tcp/ip port 1720 to my internal machine, along with udp
> ports 5000-5010.
> 
> Furthermore, I'm on a DSL network that does some funny NAT stuff, and I
> have a dynamic IP ;-)  Supposedly the network supports netmeeting, so
> hopefully the problems I'm having are my own configuration.  
> 
> Any help debugging would be appreciated.
> 

Having a network that supports netmeeting doesn't mean anything.
Netmeeting doesn't support H.245 Tunneling for example.
So you can open one more TCP port on your firewall. Which one? A random
one => open all your TCP ports or you won't be able to receive incoming
calls.

OK, here is a short synthese of what you need to get GnomeMeeting to
work behind a firewall using NAT/PAT. This will replace the current FAQ
section about firewalls. (Getting it to work behind Firewalls in the
current FAQ).


1) About the ports that are used by GnomeMeeting and Netmeeting.

* What ports does GnomeMeeting use for H.323 if H.245 Tunneling is
enabled?

- 1720 TCP for the H.225 and H.245 Channels
- Random UDP port for audio (it will take the first free port above
5000)
- Random UDP port for video (it will take the first free port above
5000)

Those ports are used for incoming calls, i.e. if you receive an incoming
call from a GnomeMeeting user using H.245 Tunneling, that remote
GnomeMeeting will open those ports. 

If the user doesn't use H.245 Tunneling for some reason, another random
TCP port will be used for the H.245 Channel. 

If the user uses H.245 Tunneling (the default in the preferences), it is
enough to allow TCP port 1720 and UDP ports 5000-5004 on your firewall
(for a single call).


* What ports does Netmeeting use for H.323?

- 1720 TCP for the H.225 Channel
- Random TCP port for the H.245 Channel (Netmeeting doesn't support
H.245 Tunneling)
- Random UDP port for audio
- Random UDP port for video

That is for incoming calls, i.e. if you receive an incoming call from a
Netmeeting user, that remote Netmeeting will use those ports. Most of
them are totally random, so if you want a secure firewall, you will have
to forget about the idea to be able to be called by remote Netmeeting
users.


2) Three ways to use GnomeMeeting behind a NAT/PAT gateway

a) The GNU Gatekeeper configured as a proxy 

The GNU Gatekeeper is available at: 
http://www.willamowius.de/h323develop.html

Their mailing list for help is available at:
http://www.willamowius.de/openh323gk.html

That CVS version of the gatekeeper has several possibilities that permit
to install it on your NAT/PAT gateway and configure it to act as a
proxy. Once it is installed and configured to act as a proxy (see the
config file given below as example), you can go in the GnomeMeeting
preferences and make GnomeMeeting register to that gatekeeper using a
given alias (Directory section to register to the gatekeeper, Personal
Data section to give the alias to use when registering). 

Doing so, and provided that the correct ports are opened on the firewall
(read the section above, but keep in mind that the gatekeeper can use
other ports), you will be able to call registered and non-registered
endpoints. 

You can call a registered endpoint with GnomeMeeting using its
registering alias (for example, the user e-mail address if it is what
the external user chose to register on your gatekeeper). 

You can also call an unregistered endpoint using an URL of the form
@hostname (e.g.: @heraclite.ucl.ac.be to call heraclite.ucl.ac.be if
that machine is not registered to the gatekeeper)

External users can not call you, except if they register to your
gatekeeper installed on your gateway, and if they know what alias you
used to register to your gatekeeper.

The gatekeeper is able to work with H.245 Tunneling and without. It is
automatic.

Here is the config file gatekeeper.ini to configure it as a
gatekeeper/proxy:
[Gatekeeper::Main]
Fourtytwo=42

[RoutedMode]
GKRouted=1
AcceptUnregisteredCalls=0
SupportNATedEndpoints=1

[RasSvr::ARQFeatures]
CallUnregisteredEndpoints=1

[Proxy]
Enable=1

[GkStatus::Auth]
rule=allow

You can also more or less control the ports that are used using the
following parameters in the config file:
[RoutedMode]
Q931PortRange=20000-20020
H245PortRange=30000-30010

[Proxy]
T120PortRange=40000-40010
RTPPortRange=50000-59999


We recommend the use of the gatekeeper.

The gatekeeper will permit you to make calls from an internal
GnomeMeeting to external GnomeMeeting and Netmeeting users. 

External GnomeMeeting and Netmeeting users will have to register to the
gatekeeper to be able to call you using your alias.


b) RSIP


RSIP is available at:
http://openresources.info.ucl.ac.be/rsip/

RSIP is a new protocol which may be used as an alternative to the      
NAT/PAT. For example, we may use RSIP to share an Internet connection
between several computers.

You can use RSIP in conjunction with NAT. RSIP will require that you
install the RSIP server on your linux gateway and the RSIP client on the
linux machine where GnomeMeeting is running.

No need to worry about the firewall rules with RSIP on the gateway
because the packets will be routed before the rules are applied. You can
thus block all ports on the firewall.

You can get help about RSIP and GnomeMeeting at:
http://openresources.info.ucl.ac.be/rsip/howto.php


We recommend the use of RSIP.

RSIP will permit you to make calls from an internal GnomeMeeting to
external GnomeMeeting  and Netmeeting users. 

External GnomeMeeting users will be able to call you if they are using
H.245 Tunneling, and if you forward TCP port 1720 to your internal
machine. 

External Netmeeting users will be unable to call you because Netmeeting
doesn't support H.245 Tunneling and the port used for H.245 is random.


c) The H.323 netfilter module

Patches for the latest 2.4.x kernels to use H323 behind NAT are
available at:
http://roeder.goe.net/~koepi/

The original URL is:
http://www.kfki.hu/~kadlec/sw/netfilter/

The mailing list to get help is available at:
http://lists.samba.org/pipermail/netfilter/


To be able to receive calls, you can use the Prerouting Dynamic NAT
options of iptables:
iptables -A PREROUTING -t nat -p TCP -d $external_ip_of_your_firewall
--dport 1720 -j DNAT --to $ip_of_your_GM_box:1720

However, you have to know that those patches do not support H.245
Tunneling. It means that if you want to be able to receive incoming
calls from Netmeeting and GnomeMeeting users, you have to allow all
incoming TCP connections for all ports. If you do so, and if you disable
H.245 Tunneling in GnomeMeeting, you will be able to receive calls from
external GnomeMeeting and Netmeeting users. You can of course also
contact external GnomeMeeting and Netmeeting users, but again you will
have to disable H.245 Tunneling in the GnomeMeeting preferences.

That module and those patches are not yet included in the official
kernel tree. Moreover, they do not support H.245 Tunneling and thus
require to allow incoming connections to a random TCP port if you want
to allow incoming calls from external users.

Installing and configuring it can be difficult. Using RSIP or the
Gatekeeper acting as a proxy are far more easier to setup.



Please send comments to the mailing list.  

-- 
 _	Damien Sandras
(o-	GnomeMeeting - H.323 Videoconferencing Application -
//\		web:  http://www.gnomemeeting.org/
v_/_	H.323 phone:  callto://ils.seconix.com/dsandras seconix com