NAT & H.323

The main goal of this page is to give some hints to well "cook" a linux box supporting H.323 network address translation.

New!!!

Since 2.4.24 kernel you can get an already patched version.

What do you need ?

• a v2.4 kernel (see below)
• The Koepi's patch (see Koepi's page) or get the patch here.
• iptables (also here).

Tested

Steps to success

1. Uncompress the kernel as usual ;-)
2. Patch the kernel with Koepi's patch (if didn't you get the debian package):

      shell>cd /usr/src/linux
      shell>gunzip -cd newnat13-and-helpers-2.4.18.gz | patch -p1 -E
   				

3. Now configure your kernel to fit your need and then configure the NAT as follow:

   [*] Network packet filtering (replaces ipchains)
   				

   After you have selected this option a new one will appear.

      IP: Netfilter Configuration  --->
   				

   Select it by pressing [enter] then select:

    <M> Connection tracking (required for masq/NAT)
    < >   FTP protocol support (NEW)
    < >   TFTP protocol support (NEW)
    <M>   talk protocol support (NEW)
    <M>   H.323 (netmeeting) support (NEW)
    < >   IRC protocol support (NEW)
    < >   GRE protocol support (NEW)
    < > Userspace queueing via NETLINK (EXPERIMENTAL)
    <M> IP tables support (required for filtering/masq/NAT)
    < >   limit match support (NEW)
    < >   MAC address match support (NEW)
    < >   netfilter MARK match support (NEW)
    < >   Multiple port match support (NEW)
    < >   TOS match support (NEW)
    < >   AH/ESP match support (NEW)
    < >   LENGTH match support (NEW)
    < >   TTL match support (NEW)
    < >   tcpmss match support (NEW)
    < >   Helper match support (NEW)
    < >   Connection state match support (NEW)
    < >   RPC match support (NEW)
    < >   Unclean match support (EXPERIMENTAL) (NEW)
    < >   Owner match support (EXPERIMENTAL) (NEW)
    < >   Packet filtering (NEW)
    <M>   Full NAT (NEW)
    <M>     MASQUERADE target support (NEW)
    <M>     REDIRECT target support (NEW)
    [*]     NAT of local connections (READ HELP) (NEW)
    < >     Basic SNMP-ALG support (EXPERIMENTAL) (NEW)
    < >   Packet mangling (NEW)
    < >   LOG target support (NEW)
    < >   ULOG target support (NEW)
    < >   TCPMSS target support (NEW)
    < > ipchains (2.2-style) support
    < > ipfwadm (2.0-style) support
   

   Note:

   This is a minimalistic setup, you should customize it to fit your needs.

4. Compile it, install it and then...
5. Compile or re-compile the iptables tool. This is really important, if you don't do this you'll have an invalid argument error from iptables.

6. To masquerade:

   shell>iptables -t nat -A POSTROUTING -o your_external_interface -j MASQUERADE
   				

   To translate H.323 :

   shell>iptables -A PREROUTING -t nat -p TCP -d $external_ip_of_your_gateway --dport 1720 -j DNAT --to $ip_of_your_meeting_box:1720
   shell>iptables -A PREROUTING -t nat -p TCP -d $external_ip_of_your_gateway --dport 1503 -j DNAT --to $ip_of_your_meeting_box:1503