However, all "right thinking" sysadmins will have a default policy of DROP for input, output and forward, then open only the required ports.
So, if accepting established and related traffic with
-m state --state ESTABLISHED,RELATED
what are the minimum ports required for communicating with remote netmeeting clients using Ekiga (aka gnomemeeting) locally, for both initiating and receiving calls? Does ip_conntrack_h323 handle all the UDP ports as "related" to the incoming/outgoing TCP 1720 that we need to allow?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You are correct, a serious sysadmin will use your method to control related traffic. The example on my document is just for a quick start.
Yes, ip_conntrack_h323 can predict all RTP/RTCP, H.245, and T.120 connections related to a call.
There is no configure difference for different H.323 endpoint as long as it supports standard H.323 protocol. For now, this module monitors only TCP port 1720 for Q.931 signals unless you use RAS, so when you write incoming/outgoing iptables rules for static endpoints, you can only specify port 1720.
Dear Folks,
Thank you for getting your great work into the mainstream kernel!
On your page http://nath323.sourceforge.net/, you suggest simply masquerading or SNATing the connection.
However, all "right thinking" sysadmins will have a default policy of DROP for input, output and forward, then open only the required ports.
So, if accepting established and related traffic with
-m state --state ESTABLISHED,RELATED
what are the minimum ports required for communicating with remote netmeeting clients using Ekiga (aka gnomemeeting) locally, for both initiating and receiving calls? Does ip_conntrack_h323 handle all the UDP ports as "related" to the incoming/outgoing TCP 1720 that we need to allow?
You are correct, a serious sysadmin will use your method to control related traffic. The example on my document is just for a quick start.
Yes, ip_conntrack_h323 can predict all RTP/RTCP, H.245, and T.120 connections related to a call.
There is no configure difference for different H.323 endpoint as long as it supports standard H.323 protocol. For now, this module monitors only TCP port 1720 for Q.931 signals unless you use RAS, so when you write incoming/outgoing iptables rules for static endpoints, you can only specify port 1720.
Here is a simple example for INPUT chain:
iptables -A INPUT -p tcp -s 172.16.0.1 --dport 1720 -j ACCEPT
Wonderful! Bless you.