<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>

H.323 connection tracking and NAT for Linux/Netfilter

H.323 connection tracking and NAT for Linux/Netfilter

h323-conntrack-nat is a Linux kernel module which provides connection tracking and NAT support for the H.323, H.225, H.245 protocol family (Voice over IP).

The module was originally written for Linux 2.4 by Jozsef Kadlecsik. I have ported it to Linux 2.6.11, and I am currently working on replacing the "brute force" algorithm with real H.323 protocol parsers.


The module is maintained in the Netfilter patch-o-matic-ng subversion repository.

To make patch-o-matic work, you need the sources of iptables and Linux 2.6.11.x kernel.

svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng cd patch-o-matic-ng ./runme --kernel-path /usr/src/linux-2.6.11 \ --iptables-path /usr/src/iptables-1.2.11 h323-conntrack-nat

If that finishes successfully, you can select the H.323 module in the kernel configuration menu. You do not need to recompile iptables, the sources are only required for the patch-o-matic installer.

Using h323-conntrack-nat

After you have recompiled the kernel with the H.323 modules, the only thing left to do is to allow connections on port 1720 (H.225):

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 1720 -j ACCEPT

in ferm syntax:

chain INPUT { mod state state (ESTABLISHED RELATED) ACCEPT; proto tcp dport 1720 ACCEPT; }

NAT is no problem:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1720 -j DNAT to iptables -A FORWARD -d -p tcp --dport 1720 -j ACCEPT

Nfsim test suite

I have started writing a test suite for h323-conntrack-nat:

To run the test suite, you have to patch Nfsim with my backticks patches. The tarball contains a README file with detailed instructions.