Next Previous Contents

5. New connection tracking patches

In this sections, we will show the available connection tracking/nat patches. To use them, simply load the corresponding modules (with options if needed) for them to be in effect.

5.1 amanda-conntrack-nat patch

This patch by Brian J. Murrell <[email protected]> adds support for connection tracking and nat of the Amanda backup tool protocol.

5.2 eggdrop-conntrack patch

This patch by Magnus Sandin <[email protected]> adds support for connection tracking for eggdrop bot networks.

5.3 h323-conntrack-nat patch

This patch by Jozsef Kadlecsik <[email protected]> adds H.323/netmeeting support module for netfilter connection tracking and NAT.

H.323 uses/relies on the following data streams :

The H.323 conntrack/NAT modules support the connection tracking/NATing of the data streams requested on the dynamic ports. The helpers use the search/replace hack from the ip_masq_h323.c module for the 2.2 kernel series.

At the very minimum, H.323/netmeeting (video/audio) is functional by letting trough the 1720 port and loading these H.323 module(s).

The H.323 conntrack/NAT modules do not support :

5.4 irc-conntrack-nat patch

This patch by Harald Welte <[email protected]> allows DCC to work though NAT and connection tracking. By default, this module will track IRC connection on port 6667. But you can change this for another port with the `ports=xx' argument.

5.5 mms-conntrack-nat patch

This patch by Filip Sneppe <[email protected]> adds support for connection tracking of Microsoft Streaming Media Services protocol.

This allows client (Windows Media Player) and server to negotiate protocol (UDP, TCP) and port for the media stream. A partially reverse engineered protocol analysis is available from here, together with a link to a Linux client.

It is recommended to open UDP port 1755 to the server, as this port is used for retransmission requests.

This helper has been tested in SNAT and DNAT setups.

5.6 pptp patch

This patch by Harald Welte <[email protected]> allows netfilter to track pptp connection as well as to NAT them.

5.7 quake3-conntrack patch

This patch by Filip Sneppe <[email protected]> adds support for Quake III Arena connection tracking and nat.

5.8 rsh patch

This patch by Ian Larry Latter <[email protected]> adds support for RSH connection tracking.

An RSH connection tracker is required if the dynamic stderr "Server to Client" connection is to occur during a normal RSH session. This typically operates as follows :

    Client 0:1023 --> Server 514    (stream 1 - stdin/stdout)
    Client 0:1023 <-- Server 0:1023 (stream 2 - stderr)

The author of this patch is warning you that this module could be dangerous, and that it is not "best practice" to use RSH, and you should use SSH in all instances.

5.9 snmp-nat patch

This patch by James Morris <[email protected]> allows netfilter to NAT basic SNMP This is the ``basic'' form of SNMP-ALG, as described in RFC 2962, it works by modifying IP addresses inside SNMP payloads to match IP-layer NAT mapping.

5.10 talk-conntrack-nat patch

This patch by Jozsef Kadlecsik <[email protected]> allows netfilter to track talk connections, as well as to NAT them. By default both otalk (UDP port 517) and talk (UDP port 518) are supported. otalk/talk supports can selectively be enabled/disabled by the module parameters of the ip_conntrack_talk and ip_nat_talk modules. The options are :

where `0' means `do not support' while `1' means `do support' the given protocol flavor.

5.11 tcp-window-tracking patch

This patch by Jozsef Kadlecsik <[email protected]> allows netfilter do TCP connection tracking according to the article Real Stateful TCP Packet Filtering in IP Filter by Guido van Rooij. It supports window scaling, and can now handle already established connections.

5.12 tftp patch

This patch by Magnus Boden <[email protected]> allows netfilter to track tftp connections as well as to NAT them. By default, this module will track tftp connections on port 69. But you can change this for another port with the `ports=xx' argument.


Next Previous Contents