ip_masq_netmeeting.c module testers

Alex Nicolaou (anicolao@mud.cgl.uwaterloo.ca)
Wed, 24 Nov 1999 07:53:07 -0500

I am looking for a group of people who are interested in testing a new
ip_masq module which allows netmeeting or sunforum sessions through
linux firewalls using IP masquerade.

I am testing using SunForum 3 to call NetMeeting 3 and it is looking
good. I'd like to get others to test the various configurations with me,
including sunforum -> sunforum and netmeeting -> netmeeting.

Please respond by private e-mail. Once the test group has concluded that
it is stable I'll post the module to l-k. If you want to help out,
please be sure that you're comfortable sniffing your network for packets
and searching through the hex dumps for the appropriate bits of data.

The PS includes an explanation of what the module does and why it is
necessary. Theoretically this type of solution is necessary for any
H.323 based conferencing program but I currently only plan to get
netmeeting/sunforum working, since that's my particular itch.


P.S. Why this is needed and how it works:

In a netmeeting connection, IP addresses are exchanged in the TCP data
portion of packets. This means that the H.245/323 connection used for
voice and video cannot be forwarded across a NAT firewall without
filtering the application level data.

For example, suppose my machine internal to my network has IP X, and my
firewall has IP F. If I call IP Y, my machine sends a packet to Y
containing X, and Y proceeds to send audio data to X; of course X cannot
be reached because it is not a real IP address but exists only
internally to my own network. Meanwhile, my audio transmission works
because Y is not firewalled, although if Y was also firewalled audio
would fail in both directions.

This situation is aggravated by the fact that Netmeeting sets up
additional connections on randomly chosen ports in the range 1024-65535.
What happens is that in the initial negotiation on a known port a new
dynamically selected port is chosen and that new port is used for
communication of the audio/video link connection.

The masq module watches for the packets that open up new connections. It
both masqs and filters those connections. The filter takes addresses
that are internal to the network being masqed and rewrites them to the
firewall's address. So, the module effectively rewrites the application
protocol data which contains IP address X and changes it to IP address
F, and masq's the returning audio packets so that they'll reach their
intended destination.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/