/usr/share/doc/iptables-dev/html/netfilter-extensions-HOWTO-5.html is in iptables-dev 1.4.12-1ubuntu4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.66">
<TITLE>Netfilter Extensions HOWTO: New connection tracking patches</TITLE>
<LINK HREF="netfilter-extensions-HOWTO-6.html" REL=next>
<LINK HREF="netfilter-extensions-HOWTO-4.html" REL=previous>
<LINK HREF="netfilter-extensions-HOWTO.html#toc5" REL=contents>
</HEAD>
<BODY>
<A HREF="netfilter-extensions-HOWTO-6.html">Next</A>
<A HREF="netfilter-extensions-HOWTO-4.html">Previous</A>
<A HREF="netfilter-extensions-HOWTO.html#toc5">Contents</A>
<HR>
<H2><A NAME="s5">5.</A> <A HREF="netfilter-extensions-HOWTO.html#toc5">New connection tracking patches</A></H2>
<P>In this sections, we will show the available connection tracking/nat patches.
To use them, simply load the corresponding modules (with options if needed)
for them to be in effect.</P>
<H2><A NAME="ss5.1">5.1</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.1">amanda-conntrack-nat patch</A>
</H2>
<P>This patch by Brian J. Murrell <netfilter@interlinx.bc.ca> adds support
for connection tracking and nat of the Amanda backup tool protocol.</P>
<H2><A NAME="ss5.2">5.2</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.2">eggdrop-conntrack patch</A>
</H2>
<P>This patch by Magnus Sandin <magnus@sandin.cx> adds support
for connection tracking for eggdrop bot networks.</P>
<H2><A NAME="ss5.3">5.3</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.3">h323-conntrack-nat patch</A>
</H2>
<P>This patch by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> adds
H.323/netmeeting support module for netfilter connection tracking and NAT.</P>
<P>H.323 uses/relies on the following data streams :</P>
<P>
<UL>
<LI>port 389 -> Internet Locator Server (TCP).</LI>
<LI>port 522 -> User Location Server (TCP).</LI>
<LI>port 1503 -> T.120 Protocol (TCP).</LI>
<LI>port 1720 -> H.323 (H.225 call setup, TCP)</LI>
<LI>port 1731 -> Audio call control (TCP)</LI>
<LI>Dynamic port -> H.245 call control (TCP)</LI>
<LI>Dynamic port -> RTCP/RTP streaming (UDP)</LI>
</UL>
</P>
<P>The H.323 conntrack/NAT modules support the connection tracking/NATing of
the data streams requested on the dynamic ports. The helpers use the
search/replace hack from the ip_masq_h323.c module for the 2.2 kernel
series.</P>
<P>At the very minimum, H.323/netmeeting (video/audio) is functional by letting
trough the 1720 port and loading these H.323 module(s).</P>
<P>The H.323 conntrack/NAT modules do not support :</P>
<P>
<UL>
<LI>H.245 tunnelling</LI>
<LI>H.225 RAS (gatekeepers)</LI>
</UL>
</P>
<H2><A NAME="ss5.4">5.4</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.4">irc-conntrack-nat patch</A>
</H2>
<P>This patch by Harald Welte <laforge@gnumonks.org> allows DCC to work though NAT and
connection tracking. By default, this module will track IRC connection on port 6667.
But you can change this for another port with the `ports=xx' argument.</P>
<H2><A NAME="ss5.5">5.5</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.5">mms-conntrack-nat patch</A>
</H2>
<P>This patch by Filip Sneppe <filip.sneppe@cronos.be> adds support for
connection tracking of Microsoft Streaming Media Services protocol.</P>
<P>This allows client (Windows Media Player) and server
to negotiate protocol (UDP, TCP) and port for the media stream.
A partially reverse engineered protocol analysis is available
from
<A HREF="http://get.to/sdp">here</A>, together with a link to a Linux client.</P>
<P>It is recommended to open UDP port 1755 to the server, as this port is used
for retransmission requests.</P>
<P>This helper has been tested in SNAT and DNAT setups.</P>
<H2><A NAME="ss5.6">5.6</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.6">pptp patch</A>
</H2>
<P>This patch by Harald Welte <laforge@gnumonks.org> allows netfilter to track pptp connection as well as to NAT them.</P>
<H2><A NAME="ss5.7">5.7</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.7">quake3-conntrack patch</A>
</H2>
<P>This patch by Filip Sneppe <filip.sneppe@cronos.be> adds support for
Quake III Arena connection tracking and nat.</P>
<H2><A NAME="ss5.8">5.8</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.8">rsh patch</A>
</H2>
<P>This patch by Ian Larry Latter <Ian.Latter@mq.edu.au> adds support for
RSH connection tracking.</P>
<P>An RSH connection tracker is required if the dynamic stderr "Server
to Client" connection is to occur during a normal RSH session. This
typically operates as follows :</P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
Client 0:1023 --> Server 514 (stream 1 - stdin/stdout)
Client 0:1023 <-- Server 0:1023 (stream 2 - stderr)
</PRE>
</CODE></BLOCKQUOTE>
</P>
<P>The author of this patch is warning you that this module could be dangerous, and
that it is not "best practice" to use RSH, and you should use SSH in all instances.</P>
<H2><A NAME="ss5.9">5.9</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.9">snmp-nat patch</A>
</H2>
<P>This patch by James Morris <jmorris@intercode.com.au> allows netfilter to NAT basic SNMP
This is the ``basic'' form of SNMP-ALG, as described in
<A HREF="http://www.faqs.org/rfcs/rfc2962.html">RFC 2962</A>,
it works by modifying IP addresses inside SNMP payloads
to match IP-layer NAT mapping.</P>
<H2><A NAME="ss5.10">5.10</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.10">talk-conntrack-nat patch</A>
</H2>
<P>This patch by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> allows netfilter to track
talk connections, as well as to NAT them. By default both otalk (UDP port 517) and talk (UDP port 518) are
supported. otalk/talk supports can selectively be enabled/disabled
by the module parameters of the ip_conntrack_talk and ip_nat_talk modules. The options are :</P>
<P>
<UL>
<LI>otalk = 0 | 1</LI>
<LI>talk = 0 | 1</LI>
</UL>
</P>
<P>where `0' means `do not support' while `1' means `do support'
the given protocol flavor.</P>
<H2><A NAME="ss5.11">5.11</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.11">tcp-window-tracking patch</A>
</H2>
<P>This patch by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> allows netfilter
do TCP connection tracking according to the article
<A HREF="http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz">Real Stateful TCP Packet Filtering in IP Filter</A> by
Guido van Rooij. It supports window scaling, and can now handle already established connections.</P>
<H2><A NAME="ss5.12">5.12</A> <A HREF="netfilter-extensions-HOWTO.html#toc5.12">tftp patch</A>
</H2>
<P>This patch by Magnus Boden <mb@ozaba.mine.nu> allows netfilter to track
tftp connections as well as to NAT them. By default, this module will track
tftp connections on port 69. But you can change this for another port with the
`ports=xx' argument.</P>
<HR>
<A HREF="netfilter-extensions-HOWTO-6.html">Next</A>
<A HREF="netfilter-extensions-HOWTO-4.html">Previous</A>
<A HREF="netfilter-extensions-HOWTO.html#toc5">Contents</A>
</BODY>
</HTML>
|