New H.323 conntrack & NAT helper module
GregScott at InfraSupportEtc.com
Sat Feb 25 05:00:04 CET 2006
Holey moley - this is GREAT news!!
A couple questions. Will this module work with 2.6.16 and upcoming
newer kernels? And - this is a biggie - the documentation says all I
need to do is SNAT TCP 1720 for outbound calls and DNAT TCP 1720 for
inbound calls. No more tinkering by hand with zillions of TCP/UDP ports
- no more trying to figure out if Polycom or Tandberg or whatever is on
which end. Is this really true??? Will this patch really figure out
and track the dynamic ports these devices use by default? If so, then
Also - will it work with proxy ARP? Let's say I proxy ARP an H.323
device behind the firewall. Will this patch still handle connection
tracking, even though there is no NAT? The idea is, I would put a rule
in the FORWARD table for TCP 1720 and the patch would "know" it's an
H.323 device and also track and forward the appropriate TCP and UDP
ports. But it would be to a public IP Address proxy ARP'd behind the
firewall instead of a NAT'd device.
- Greg Scott
From: netfilter-devel-bounces at lists.netfilter.org
[mailto:netfilter-devel-bounces at lists.netfilter.org] On Behalf Of Jing
Sent: Tuesday, February 21, 2006 11:57 PM
To: netfilter-devel at lists.netfilter.org
Subject: New H.323 conntrack & NAT helper module
I've written a new H.323 conntrack & NAT helper module for Netfilter.
I have five years experience in H.323 development and many years in
Linux development, so I know many people out there need Linux firewall
to support H.323 as IP phones are becoming more and more popular. I also
know Jozsef Kadlecsik and Max Kellermann have written such Netfilter
modules, but they don't support RAS, Fast-Start and H.245 tunnelling.
However, these features are essential for most modern H.323 devices.
Many carriers even don't support slow-start at all.
This is a almost full featured H.323 module. Since it is based on H.225
version 4, H.235 version 2 and H.245 version 7, it should support most
of the H.323 products in the market. I've spent a lot of time on this
module and my friends helped me test it a lot too. Now I believe it is
ready to go into kernel tree. I'm wondering if anybody can tell me what
I should do to adding it to Netfilter.
Anybody interested in this can download the patch for kernel 2.6.15 in
document is at http://nath323.sourceforge.net.
Thanks a lot!
Jing Min Zhao
More information about the netfilter-devel