How to set up iptables etc to work with netmeeting / gnomeme

[riggagoogoo]

Hi,

I want to use Gnomemeeting to connect to my buds PC who is using netmeeting(Win XP connected through a linux gateway/firewall) , can anyone advise what I need to do to get this working i.e. do i need additional kernel modules (his and my servers are both using 2.4.18 kernel and iptables), what firewall rules etc, or simply point me in the right direction to a Howto or something. I have searched the forum but no real help.

Any help appreciated

Regards

RiGGa

[esammer]

First off, you'll probably want to know what port(s) <x>meeting uses. The easiest way to see what's really going on is to enable logging on the firewall and see if it's blocking packets from your friend's IP and on what port they're arriving / destined for.

(The following assumes you have iptables support in the kernel with LOG target support.)

This is from my firewall / router:

Code: Select all

shingi root # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
*** A BUNCH OF ALLOW RULES ARE HERE ***
block      all  --  anywhere             anywhere           state INVALID,NEW 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain block (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere           LOG level warning prefix `REJECT ' 
DROP       all  --  anywhere             anywhere

You can see I added a new chain called 'block'. This rule is applied after specific services are allowed through (i.e. last). If no ALLOW rule applies, the 'block' rule will and it "jumps" to the 'block' chain. Once there, it logs the packet to syslog and DROPs it, effectively giving me a basic method of viewing what gets denied.

To get a FULL view of what's going on, you can create a chain that is applied *first* and applies to any source / dest that simply LOGs the packet and jumps to 'ACCEPT' (or whatever your security policy dictates). BE VERY CAREFUL WHEN DOING THIS as it can open up your firewall. If you want to be super careful, you can do it as I have and default to DROP so anything that is not explicitly allowed is denied. (Of course, not all of my rules are shown for my own security purposes).

As for the syntax of adding, removing, and showing rules, the 'iptables --help' is fairly simple to grok. Here's a quick version, BUT READ THE DOCS FIRST as you should always know what you're doing in terms of security to your firewall:

Code: Select all

# iptables --new mylogger
# iptables -L
** OTHER STUFF ***
Chain mylogger (0 references)
target     prot opt source               destination         
# iptables -A mylogger -j LOG --log-level warning --log-prefix 'iptables reject:'
# iptables -I FORWARD 1 -j mylogger

Your /var/log/messages file should start scrolling. Get your info from there.

Be careful. Read the iptables docs.
Hope this helps (and I hope it's not too confusing)

[magnet]

there is a section in gnomemeeting , on how to setup your firewall.this should works with your netmeeting too.

http://www.gnomemeeting.org/index.php?r ... =x269.html

[esammer]

See, that's what I get for not just checking google before going into a long winded explanation about iptables...

:: Hand, staple, forehead, repeat ::

[magnet]

[riggagoogoo]

Cool thanks for the quick response however do I need any specific kernel modules? I have to set this up on my server that my Gentoo workstation is connected too and my buds server which connects to his Win XP box. Our servers are set up identical apart from the obvious stuff so I assume what I have to do on mine I will also have to repeat on his to allow his netmeeting to work.

[sschlueter]

I want to use Gnomemeeting to connect to my buds PC who is using netmeeting(Win XP connected through a linux gateway/firewall) , can anyone advise what I need to do to get this working i.e. do i need additional kernel modules (his and my servers are both using 2.4.18 kernel and iptables), what firewall rules etc, or simply point me in the right direction to a Howto or something. I have searched the forum but no real help.

Are both of you behind a NAT router (using private IP addresses)?

If that's the case, then it won't be sufficient to configure iptables to accept incoming connections and forward some ports (as esammer suggested). The H323 protocol is a damn ugly thing.

While Gnomemeeting can be configured to act in a more NAT-friendly way (see the link that magnet has posted), Netmeeting can't be configured this way (at least not AFAIK). So this won't help.

What you can do:

1. There is a iptables conntrack/nat module for the H323 protocol. But it's not part of the vanilla kernel. You can find it here: http://www.netfilter.org/documentation/ ... ntrack-nat

2. You can set up a vpn so that you have a direct ip-to-ip connection (using virtual ips) to your bud. One of the easiest vpn solutions is OpenVPN. Since you have a direct IP connection, this solutions not only works for Netmeeting but for all other kinds of strange (nat unfriendly) protocols.

[riggagoogoo]

We are both behind linux servers running iptables using NAT... l assume the h323-conntrak-nat module will work with kernel 2.4.18 ??. That said I do like the idea of a VPN, I will take a look at OpenVPN and post back waht I decide to try and how well it all works.

Thanks for all your help

RiGGa

[jackrabbit123]

You can also try opengk to get this working. It's a gatekeeper that you'd set up on your server. It will then be able to route packets between the outside world and your internal LAN.