June 21, 2004

iptables and 2.6 IPsec; H.323, NAT, and GnuGk

First up, I realized over the weekend that though I had begun using 2.6 IPsec, I hadn’t altered my usual set of iptables firewall rules which refer to ipsec0. 2.6 IPsec doesn’t use a “virtual device” for its IPsec tunnels, so saying things like “make sure this kind of traffic only comes in over an IPsec tunnel” becomes kind of wonky.

A quick note on how 2.6 IPsec interacts with Netfilter (and therefore iptables) as of about 2.6.6 or so (FC2 kernel). Packets are encrypted before the NF_IP_POST_ROUTING hook. This means that when forwarding a packet over an IPsec connection, the NF_IP_FORWARD and NF_IP_LOCAL_OUT hooks see the packets unencrypted, but any (for example) SNAT rules you have will see the ESP packet. (BTW, I only use ESP in tunnel mode. All of this documentation assumes that, though most everything applies to other IPsec modes as well.)

So how do you ensure that packet X came in via IPsec? Currently the hackish way to do this seems to depend on the fact that an nfmark set on an incoming IPsec packet will be the same nfmark seen on the resulting decrypted packet. So, for example, iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 1 to mark ESP packets as they come in, then match with -m mark --mark 1 elsewhere. If you use nfmark for other things perhaps you need a different nfmark value.

This is all icky IMHO. I don’t like using nfmark, especially since the patch to allow more complex operations on nfmark (like bitwise or) isn’t in the iptables nor kernel proper. The semi-good news is that there is a patch in the pipeline to make this kind of matching sane. Check out the IPsec-related patches in the Netfilter patch-o-matic extra repository. There are four or so for IPsec that fix up the way packets traverse Netfilter hooks. These patches make it more sane, and different enough from what I’ve covered above. Go hit up a mail archive for netfilter-devel and read the thread(s) on “NAT and IPsec” (IIRC). You’ll also find a “policy” patch which should be the patch that allows you to “match the IPsec policy used for handling a packet.” You can find usage examples on the netfilter-devel list too, I believe. I haven’t used these patches, and I might not as long as they’re not integrated into the base iptables and base kernel.

In other news, I’m charged with testing out a client’s video conferencing appliance which sits behind a Linux box doing NAT to their single routeable IP. I, too, am in this situation, but trying to connect to their appliance with NetMeeting (rather than another appliance). Same concept, though: H.323 still hates NAT. I gather there is something like H.245 which is some sort of tunneling that probably gets around some of these problems, blah blah blah, uninformed rambling. NetMeeting doesn’t support this tunneling protocol last I heard, though, so for now I struggle on. (Maybe I should try GnomeMeeting. I think it supports this tunneling protocol which I may or may not be fabricating entirely.)

So I go about trying to stick an H.323 gatekeeper on my Linux NAT box here. GnuGk was a prominent search result so I gave it a go. Its included RPM spec file didn’t go over so well, so here’s my GnuGk 2.0.8 SRPM. I built this on Fedora Core 1 i386. Note the large number of packages required for build and what you suppose is their irrelevance to the very basic set of features you’re installing. SDL? What? This is a daemon. LDAP? Even though I turned it off? I think all these extra libraries are a result of GnuGk using the PWLib build “system,” which by the by I think FC1 might have a little screwed up. Either that or GnuGk uses it in a bastardly way. Anyway, it builds, and it runs. I’ll admit I haven’t been using it much, and the init script might need some work still. I accept patches.

You’ll need an /etc/gnugk.ini after building and installing GnuGk. Check out section 7.2.1 of the GnomeMeeting FAQ. Two things I had to modify for GnuGk 2.0.8. First, [RasSvr::ARQFeatures] needs to be [RasSrv::ARQFeatures]. Second, under the [RasSrv::ARQFeatures] section, add ParseEmailAliases=1 as an option. Without this option, you can’t do things like place a call from NetMeeting to @ which is what GnomeMeeting suggests you try, I believe. Also note that this configuration seems to be open to some mischief from others. Particularly, the interactive status port is open to all through that rule=allow line, I do believe, and you can change things (or at least disconnect calls) from this port I think.

For instructions on how to configure NetMeeting, see http://www.gnugk.org/netmeeting.html. Note that (I hope) you don’t have to put in both a phone number and a user name. I just entered a user name. After I did this setup, I was able to connect to the gatekeeper and instruct it to “dial out” to the remote VC unit. I wasn’t able to connect to the remote VC unit, though, and I think that might be the remote end’s fault. The remote network, at this point, has no gatekeeper. I’m trying to figure out if I need to add one or not. It simply has a butt-load of ports forwarded in to it. For the curious, the appliance on the remote end is a Polycom unit. I think I’m going to need to figure out which Polycom unit and see if I can’t remotely reconfigure it. I suspect it has some NAT settings hiding around in its interface that needs to be twiddled, for starters.

On a note related to both of the topics covered in this entry, somewhat, there does seem to be an H.323 NAT module in the Netfilter POM-NG extra repository. A possible alternative to using a gatekeeper, at least in my situation(s).