iptables setting h323 dynamic open port
1. Insert h323 module
In order to support the h323 protocol, the kernel needs to insert the NF conntrack, NF NAT, and h323 modules.
modprobe nf_conntrack_h323 modprobe nf_nat_h323
2. Configure iptables rules
h323 uses 1719, 1720 ports. But mainly use port 1720.
The prototype of iptables rule template is as follows:
# Let the message in NEW status pass. iptables -A FORWARD [-s <src_ip>] [-d <dst_ip>] -p tcp -m multiport --dports <h323_port> -j ACCEPT # Let the related and established messages in the original direction pass. iptables -A FORWARD [-s <src_ip>] [-d <dst_ip>] -m state --state RELATED,ESTABLISHED -j ACCEPT # Let the related and established messages in the reply direction pass. iptables -A FORWARD [-s <dst_ip>] [-d <src_ip>] -m state --state RELATED,ESTABLISHED -j ACCEPT
3. Test cases
Topology:
192.168.111.1/24 192.168.111.254/24 192.168.222.254/24 192.168.111.1/24 [pc_1]-------------------------------------------[firewall]-------------------------------------------[pc_2]
Suppose the default FORWARD chain rule is DROP.
3.1. Both SRC IP and DST IP are configured
iptables rule example:
iptables -A FORWARD -s 192.168.111.0/24 -d 192.168.222.0/24 -p tcp -m multiport --dports 1720 -j ACCEPT iptables -A FORWARD -s 192.168.111.0/24 -d 192.168.222.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.222.0/24 -d 192.168.111.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
3.2. Only src ip is configured
iptables rule example:
iptables -A FORWARD -s 192.168.111.0/24 -p tcp -m multiport --dports 1720 -j ACCEPT iptables -A FORWARD -s 192.168.111.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -d 192.168.111.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
3.3. Only dst ip is configured
iptables rule example:
iptables -A FORWARD -d 192.168.222.0/24 -p tcp -m multiport --dports 1720 -j ACCEPT iptables -A FORWARD -d 192.168.222.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.222.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
3.4. SRC IP and DST IP are not configured at the same time
iptables rule example:
iptables -A FORWARD -p tcp -m multiport --dports 1720 -j ACCEPT
# 'SRC IP', 'DST IP' is not specified. So it becomes a rule
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ref
Well known protocol port number supporting dynamic open port:
| l7_protocol | l4_protocol | port_number | port_name |
|---|---|---|---|
| ftp | tcp | 21 | FTP_PORT |
| tftp | udp | 69 | TFTP_PORT |
| h323 | tcp | 1719 | RAS_PORT |
| h323 | tcp | 1720 | Q931_PORT |
| sip | tcp | 5060 | SIP_PORT |
| rtsp | tcp | 554 | RTSP_PORT |