Hi, first of all, Im not a firewall expert, but other people here have successfully configured their firewall and perhaps they will help. Read comments inline. le mer 13-03-2002 à 00:27, Jeffrey Bell a écrit : > Hi, > > I've been reading mail archives, searching the net for a solution to my > problem I can't seem to fix. After all the reading I have done, I buried > myself and can't seem to figure it out. > > I will start by explaining what I have and what I am trrying to > accomplish. > > I have a firewall set up on a debian box, running 2.4.17 with the cvs > newnat-0.7 applied and have recomplied kernel, rebooted the new kernel > and have the modules (ip_conntrack_h323, ip_nat_h323) installed. I use > iptables and have a script that loads a set of rules upon connecting to > net each time. > > My workstation which is also a debian box running 2.4.17 and uses > GM-0.12.2 with MS-GSM set as my first audio codecs. It sits behind the > firewall and has an IP of 192.168.1.9. I am trying to receive calls and > audio from a user who runs Windows, with the newest NM and uses GSM 6.10 > for audio compression. > > The NM user can receive my video/audio signals, very clear. I can > receive the NM users video but no audio. > > The NM user can not call me neither any other person who is running GM. > I have called a GM user and he sees/hears me great. I see him but again > no audio. > > I have check my hardware to make my speakers are in working condition. > So a hardware problem is ruled out. It would be interesting to test if recording is ok. Have you tested the recording? Imagine that your configuration is ok, but that simply, your soundcard is not full-duplex or something like that? Try the rec command, provided with sox to test. > > I have read somewhere about certain ports needing to being open for > NM/GM. I have applied the suggested rules to my firewall box to allow > these ports in/out. > > Still nothing, no incoming sound. > > I am a bit confused with H.245 tunneling. I read somewhere about NM not > understanding tunneling. So, If my GM client sits behind my FW, should I > use H.245 tunneling of GM if I choose to talk to a NM client outside the > local net? or to another GM user outside the local net? > You should disable H.245 Tunneling. Using H.245 Tunneling permit to spare one random TCP port, but unfortunately, the masquerading module seems to not support it. > > > I have found this info for FW rules: > > Allow in/out TCP port 1720 to receive incoming calls and outgoing calls. > > Allow in/out TCP ports 5000:5001 (GM only) Wrong! UDP ports! The Netmeeting will try to open those ports on your side for audio and video. I thought that only GM was doing that and that it was totally random for NM, but it seems that NM will also use those ports. Paradoxally, Im not an expert in the behavior of NM! > Allow in/out TCP ports 1024:65535 (all others, NM) > That is for the H.245 TCP channel. > Allow in/out UDP ports 5000:5001 (GM only) Correct, but no need for the TCP 5000:5001. Try to add 5002 and 5003 too (for NM, who knows?) > Allow in/out UDP ports 1024:65535 (all others, NM) > Wrong, I don't think they are needed. > Then I read that the H.323 conntrack/NATing modules support the > connections of the dyn ports. Then why do I need to allow the 5000:5001 > and the 1024:65535 ports in? Doesn't these modules take care of these? It takes care of these, but if you block all ports, the module will not have time to care of them. So if you block all ports, you have to open the needed ports. > > So my plead for help is this: > > Is there anyone who has a setup similar to mine, running iptables on a > FW with a GM client sitting behind it also running linux out there who > can send me a few rules that they use on thier FW to allow > incoming/outgoing calls with audio both ways. > > I have played hell trying to figure this all out, what with iptables, GM > settings is confusing the hell out of me now. > > Should there not be just a few FW rules to fix this problem easily? > We achieved a working setup for people I helped, but it was always for GM to GM. If you are successful, it would be kind to report it here. Paul has sent some rules to the mailing list some time ago. Just browse the archives. > > -- > Jeffrey Bell <jfbell earthlink net> > ------------------------------------------------------------- > Research is what I'm doing when I don't know what I'm doing. > -- Wernher von Braun -- > > _______________________________________________ > Gnomemeeting-list mailing list > Gnomemeeting-list gnome org > http://mail.gnome.org/mailman/listinfo/gnomemeeting-list > > -- _ Damien Sandras (o- GnomeMeeting - H.323 Video-Conferencing application - //\ web: http://www.gnomemeeting.org/ v_/_ FOSDEM 2002 - Free Software and Open Source Developers Meeting - web: http://www.fosdem.org/
Attachment:
signature.asc
Description: This is a digitally signed message part