New H.323 conntrack & NAT helper module

Greg Scott GregScott at
Sat Feb 25 05:00:04 CET 2006

Holey moley - this is GREAT news!!

A couple questions.  Will this module work with 2.6.16 and upcoming
newer kernels?  And - this is a biggie - the documentation says all I
need to do is SNAT TCP 1720 for outbound calls and DNAT TCP 1720 for
inbound calls.  No more tinkering by hand with zillions of TCP/UDP ports
- no more trying to figure out if Polycom or Tandberg or whatever is on
which end.  Is this really true???  Will this patch really figure out
and track the dynamic ports these devices use by default?  If so, then

Also - will it work with proxy ARP?  Let's say I proxy ARP an H.323
device behind the firewall.  Will this patch still handle connection
tracking, even though there is no NAT?  The idea is, I would put a rule
in the FORWARD table for TCP 1720 and the patch would "know" it's an
H.323 device and also track and forward the appropriate TCP and UDP
ports.  But it would be to a public IP Address proxy ARP'd behind the
firewall instead of a NAT'd device.  


- Greg Scott

-----Original Message-----
From: netfilter-devel-bounces at
[mailto:netfilter-devel-bounces at] On Behalf Of Jing
Min Zhao
Sent: Tuesday, February 21, 2006 11:57 PM
To: netfilter-devel at
Subject: New H.323 conntrack & NAT helper module

Hi, all,

I've written a new H.323 conntrack & NAT helper module for Netfilter.

I have five years experience in H.323 development and many years in
Linux development, so I know many people out there need Linux firewall
to support H.323 as IP phones are becoming more and more popular. I also
know Jozsef Kadlecsik and Max Kellermann have written such Netfilter
modules, but they don't support RAS, Fast-Start and H.245 tunnelling.
However, these features are essential for most modern H.323 devices.
Many carriers even don't support slow-start at all.

This is a almost full featured H.323 module. Since it is based on H.225
version 4, H.235 version 2 and H.245 version 7, it should support most
of the H.323 products in the market. I've spent a lot of time on this
module and my friends helped me test it a lot too. Now I believe it is
ready to go into kernel tree. I'm wondering if anybody can tell me what
I should do to adding it to Netfilter.

Anybody interested in this can download the patch for kernel 2.6.15 in The
document is at

Thanks a lot!

Jing Min Zhao

More information about the netfilter-devel mailing list