Hi all.
I can't seem to get the h323 connection tracking configured correctly for
Shorewall.
I am using the Debian Shorewall 4.5.16.1 package.
I am running a Debian 3.9 kernel like so:
# uname -a
Linux gw 3.9-1-amd64 #1 SMP Debian 3.9.8-1 x86_64 GNU/Linux
My version of iptables is:
# iptables -V
iptables v1.4.20
If I add the following rule in the /etc/shorewall/tcrules file to set a TOS
value based on the helper:
TOS(0xa0/0xfc) $ALL $RFC1918 { helper:Q.931 }
Then a 'shorewall check' results in the following error:
ERROR: The h323 helper is not enabled /etc/shorewall/tcrules (line 94)
That also happens if I use a '{ helper:RAS }' entry as well.
Shorewall believes my kernel has H323 capabilities:
# shorewall show capabilities | grep H323
H323 Helper: Available
The HELPERS entries in the /etc/shorewall/shorewall.conf file are:
# grep HELPER /etc/shorewall/shorewall.conf
AUTOHELPERS=No
HELPERS=
LOAD_HELPERS_ONLY=No
If I try to force the h323 by defining HELPERS in shorewall.conf like so:
HELPERS=ftp,h323,irs,netbios-ns,pptp,sip,snmp,tftp
Then shorewall check now results in:
# shorewall check
Checking...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
ERROR: The h323 helper requires H323 Helpers in your kernel and
iptables
If I list my modules the h323 NAT and connection tracking modules are listed:
# lsmod | grep h323
nf_nat_h323 12937 0
nf_conntrack_h323 42418 1 nf_nat_h323
nf_nat 18378 15
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,ipt_MASQUERADE,nf_nat_proto_gre,ip6t_MASQUERADE,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_nat,ip6table_nat,iptable_nat
nf_conntrack 59734 39
nf_nat_ftp,nf_nat_irc,nf_nat_sip,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,xt_helper,ipt_MASQUERADE,nf_conntrack_proto_udplite,nf_nat,ip6t_MASQUERADE,xt_state,xt_connlimit,nf_nat_h323,nf_nat_ipv4,nf_nat_ipv6,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,ipt_CLUSTERIP,nf_conntrack_proto_sctp,nf_conntrack_netlink,ip6table_nat,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_sip,iptable_nat,nf_conntrack_h32,nf_conntrack_ipv4,nf_conntrack_ipv6,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
And I don't seem to have any issue loading the same connection tracking helper
that Shorewall does when checking for h323 support.
# iptables -t raw -N tmp_chain
# iptables -t raw -A tmp_chain -j CT --notrack ; echo $?
0
# iptables -t raw -A tmp_chain -p udp --dport 1719 -j CT --helper RAS ;
echo $?
0
# iptables -t raw -F tmp_chain
# iptables -t raw -X tmp_chain
I'm not sure what else to check now.
Am I doing something wrong?
Or is there a bug with the h323 helper stuff in Shorewall?
Regards,
--
Jim Barber
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
