In message <003601c3a4f2$449210d0$230515ac(a)JOVE>, "jfp" writes:

Obviously that ISP is not going to do anything, So: - Permanently block said ISP to your linux box.

That and/or properly patching/securing the Windows box would be my first two suggestions. Trying to get "hackers" shut down is a bit like wack a mole even at the best of times.

- I assume you are using ipchains on your linux box, I would recommend upgrading to iptables which would mean not having to open incoming ports above 1024 as the session tracking should take care of that.

H.323 (and friends), as used by NetMeeting, etc, are rather difficult to firewall well, because it opens connections in arbitrary directions to arbitrary ports (as negotiated through a control channel) -- a bit like FTP, but worse. The control channel is encoded via ASN.1 (ie, binary) rather than being text like FTP. IMHO it's shameful that a "modern" protocol isn't designed for at least easy state tracking if not to work easily with outgoing-only firewalls and NAT boxes. There is an (experimental) H.323 tracking module for Linux iptables which can be downloaded and compiled up (from some of the netfilter development sites), but it's a bit of a hack. I've not tried it, but have read that it works reasonably well for a single H.323 endpoint behind the firewall. Alternatively application layer proxying may be more appropriate. GNU Gatekeeper, Open H.323 Proxy, Asterisk, etc, are capable of proxying H.323 sessions at the application level. Some of them (eg, Asterisk) are pretty much voice only (Asterisk is fundamentally PBX software which supports H.323 amongst other things), and some of them (eg, GNU Gatekeeper) will proxy video as well. Ewen