NetMeeting and GnomeMeeting | Troubleshooting Linux Firewalls

NetMeeting (http://www.microsoft.com/windows/netmeeting/) is Microsoft's other "instant" messaging client (the main one being MSN, the messenger...not the ISP/Portal!). It's definitely not anything remotely in the same ballpark as the other clients when it comes to the prolific nature of its acceptance in terms of users. But in the case of business users, it's a fairly common application and lends itself to collaborative business needs, including the ability to do remote desktop sharing. Unlike the other IM services, NetMeeting does not require access to central servers on the Internet to function. Additionally, NetMeeting supports multiple complex protocols, including H.323, used for voice-over IP traffic.

GnomeMeeting (http://www.gnomemeeting.org) is the open source counterpart to Microsoft's NetMeeting, and is included by default with many Linux distributions these days, including Redhat, SuSE, Mandrake, and Debian.

Connecting to a Remote NetMeeting/GnomeMeeting Client from Behind an iptables Firewall (Outbound Calls Only)

Generally this is a fairly straightforward setup. Assuming you're running a standard masquerading or NAT firewall, no special settings are required. However, if you are experiencing difficulty establishing NetMeeting connections across your firewall, ensure that you have connection tracking enabled and that there are not any OUTPUT rules on the following ports:

TCP 1720

TCP 30000-30010

UDP 5000-5007

UDP 5010-5013

Connecting to a NetMeeting/GnomeMeeting Client Behind a netfilter/iptables Firewall (Inbound/Outbound Calls)

There are two ways of allowing inbound Net/GnomeMeeting connections through a firewall, and it depends on the number of users that require Net/GnomeMeeting access. The first method is a Single-Use configuration, where only one system on the inside of the firewall can accept inbound connections. This is the most simplistic configuration and will cause the least amount of hassle on the part of the remote users attempting to communicate with you.

For users of GnomeMeeting, versions 0.94 have improved support for crossing NAT devices considerably. Specifically, you will need to reconfigure your GnomeMeeting client to be "NAT aware" by selecting the following under preferences:

Figure 17.1. GnomeMeeting NAT preferences.

Single-Use configuration is as follows (this script was modified from the fantastic documentation provided by the GnomeMeeting developers):

 #!/bin/bash # = where resides the iptables binary (see "type -p iptables") IPTABLES=/sbin/iptables # = your public Internet-Device OUT_DEV=eth0 # = your internal Internet-Device IN_DEV=eth1 # = Host to which the incoming H323 is being forwarded IN_HOST=192.168.70.18 TCP_PORT_RANGE=30000:30010 RTP_PORT_RANGE=5000:5007 TCP_LISTENING_PORT=1720 GK_PORT_RANGE=5010:5013 #TCP_PORT_RANGE - H245, if no tunneling is made #RTP_PORT_RANGE - RTP connections (2 audio, 2 video - RTP and RTCP) #TCP_LISTENING_PORT - H.323 port #GK_PORT_RANGE - if external GK is used # activate masquerading on public interface $IPTABLES -t nat -A POSTROUTING -o $OUT_DEV \                                 -j MASQUERADE # set incoming port forwarding... $IPTABLES -t nat -I PREROUTING 1 -i $OUT_DEV -p tcp               --dport $TCP_PORT_RANGE -j DNAT --to-dest $IN_HOST $IPTABLES -t nat -I PREROUTING 1 -i $OUT_DEV -p udp \               --dport $RTP_PORT_RANGE -j DNAT --to-dest $IN_HOST $IPTABLES -I FORWARD 1 -p tcp -i $OUT_DEV \               --dport $TCP_PORT_RANGE -d $IN_HOST -j ACCEPT $IPTABLES -I FORWARD 1 -p udp -i $OUT_DEV \               --dport $RTP_PORT_RANGE -d $IN_HOST -j ACCEPT $IPTABLES -t nat -I PREROUTING 1 -i $OUT_DEV -p tcp \               --dport $TCP_LISTENING_PORT -j DNAT to-dest \                                     $IN_HOST $IPTABLES -I FORWARD 1 -p tcp -i $OUT_DEV \               --dport $TCP_LISTENING_PORT -d $IN_HOST -j ACCEPT # add port forwarding for external GK $IPTABLES -t nat -I PREROUTING 1 -i $OUT_DEV -p udp \              --dport $GK_PORT_RANGE -j DNAT --to-dest $IN_HOST $IPTABLES -I FORWARD 1 -p udp -i $OUT_DEV \              --dport $GK_PORT_RANGE -d $IN_HOST -j ACCEPT $IPTABLES -I POSTROUTING 1 -t nat -o $IN_DEV \                   -d $IN_HOST -p udp --dport $GK_PORT_RANGE \                                   -j ACCEPT

For connecting to multiple Net/GnomeMeeting clients in through your firewall, you will be required to run the GNU Gatekeeper proxy (http://www.willamowius.de/h323develop.html).

Directly from the GnomeMeeting Website's Documentation

The latest versions of the gatekeeper have several possibilities that permit you to install it on your NAT/PAT gateway and configure it to act as a proxy. After it is installed and configured to act as a proxy (see the config file given below as example), you can go in the GnomeMeeting preferences and make GnomeMeeting register to that gatekeeper using a given alias (Directory section to register to the gatekeeper, Personal Data section to give the alias to use when registering).

Doing so, and provided that the correct ports are open on the firewall (read the previous sectionbut keep in mind that the gatekeeper can use other ports), you will be able to call registered and non-registered endpoints.

You can call a registered endpoint with GnomeMeeting using its registering alias (for example, the user e-mail address if it is what the external user chose to register on your gatekeeper).

You can also call an unregistered endpoint using an URL of the form @hostname (for example, @heraclite.be to call heraclite.be if that machine is not registered to the gatekeeper).

External users cannot call you except if they register to your gatekeeper installed on your gateway and if they know what alias you used to register to your gatekeeper.

The gatekeeper is able to work with H.245 Tunneling and without. It is automatic.

Here is the config file gatekeeper.ini to configure it as a gatekeeper/proxy:

 [Gatekeeper::Main] Fourtytwo=42 [RoutedMode] GKRouted=1 AcceptUnregisteredCalls=0 SupportNATedEndpoints=1 [RasSvr::ARQFeatures] CallUnregisteredEndpoints=1 [Proxy] Enable=1 [GkStatus::Auth] rule=allow

You also can more or less control the ports that are used using the following parameters in the config file:

 [RoutedMode] Q931PortRange=20000-20020 H245PortRange=30000-30010 [Proxy] T120PortRange=40000-40010 RTPPortRange=50000-59999

We recommend the use of the gatekeeper. The gatekeeper will permit you to make calls from an internal GnomeMeeting to external GnomeMeeting and NetMeeting users. External GnomeMeeting and NetMeeting users will have to register to the gatekeeper to be able to call you using your alias.

Blocking Outbound NetMeeting/GnomeMeeting Traffic

Blocking outbound Net/GnomeMeeting traffic is a fairly basic iptables filter rule:

 # these rules will log attempts to use Net/GnomeMeeting $IPTABLES -A FORWARD -p tcp --dport 1503 -m limit \                  --limit 1/second -j LOG --log-level info \                               --log-prefix \                    "Policy Violation: Net/Gnome meeting: " $IPTABLES -A FORWARD -p tcp --dport 1720 -m limit \                  --limit 1/second -j LOG --log-level info \                               --log-prefix \                    "Policy Violation: Net/Gnome meeting: " # and these will drop the connections $IPTABLES -A FORWARD -p tcp dport 1720 -j DROP $IPTABLES -A FORWARD -p tcp dport 1503 -j DROP

Ensure that these rules appear before any global ALLOW rules of course!