On Tue, Feb 19, 2002 at 04:33:34PM +0100, Clément Moreau wrote: > I have an arm-linux based router that does NAT (MASQUERADE) between private > network (with ppp interfaces) and public network. When i tried to use > windows Netmeeting application, i couldn't get video to pass trough my > router, (from the public network to the private one it does NOT work, from > the private to the public it DOES work). > I found a h323 patch in netfilter cvs repository, and i applied it on my > linux-2.4.17 kernel. > But i am still blocked by the NAT router, and the patch doesn't change > anything. > I have turned debugging options on, and i'm sending the beginning of the > trace below. > > Does any one have an idea ? > Does any one tried to use this patch on ARM ?
Firstly, you must have the ARM alignment trap enabled. Secondly, if you have "the wrong" IP address, the H.323 NAT module will totally mess up. I have a violent disagreement with the H.323 NAT module to the extent that I'd rather not use it, but re-number my network to eliminate the NAT. The H.323 NAT module and the H.323 protocol creates too much of a security risk IMHO. Let me enlighten you to how the NAT module works. It knows nothing about the H.323 protocol. Instead, it applies the brute-force approach, and searches for 4 bytes that look like an IP address. On finding this, they change these bytes to be the new source or destination address. They also assume the next two bytes are a port number. The protocol is encapsulated within RFC1006/2126 headers. This is a 4 byte header, consisting of: 0x03, 0x00, <16-bit length>. This header is not checked. Here, the first outgoing packet from gnome meeting appears to be 0x03, 0x00, 0x00, 0xa5. However, think about these 4 bytes, and your IP address. Lets say your IP address is 3.0.0.165. Compare that with the bytes above; it happens to be the same. The result is that the H.323 NAT module believes that this is the IP address, and performs whatever NAT processing it requires on it. I have had a look at implementing a better nat module for this protocol, but gave up since the protocol defies all attempts at simple analysis. So I renumbered my network instead.
