?

Log in

No account? Create an account
entries friends calendar profile Previous Previous Next Next
... but everywhere he is in ipchains - shadows of echoes of memories of songs — LiveJournal
10:13 pm March 7th, 2005
j4
j4
Share
... but everywhere he is in ipchains
Right. I'm trying to set up my iSight, and it's not working, and this suggests that our home-brewed firewall is the crux of the problem:
To use iChat AV behind a firewall, make sure your network administrator has opened UDP port 5060.

When video conferencing, iChat AV uses four UDP ports in this range: 16384 to 16403.
So anyway, my network administrator is tired & stressed and says port forwarding is complicated. I have bashed my head against the ipchains man page to no avail. Anybody have any hints (or lines I can cut and paste into our firewall)?

TIA...
Read 20 | Write
Comments
Comment by Kosai
kosai From: kosai Date: March 7th, 2005 10:31 pm (UTC) (Link)
I think the correct line's going to depend on how ipchains is set-up at the moment (what the names of your chains are, whether they're default accept or deny, etc), so it might be best if you show us what you've got at the moment, with:

/sbin/ipchains --list

- C.
(Reply) (Thread)
Thread started by Daddy Clanger
imc From: imc Date: March 7th, 2005 11:29 pm (UTC) (Link)
Port forwarding isn't that complicated if you're using iptables. Sadly I never mastered it on ipchains (I never had to) — I thought ipchains had more or less died out by now.

Assuming your firewall machine is not the same machine that you want to run the chat software on, I believe the command ipmasqadm portfw is involved and I've found a little bit of stuff about it.
(Reply) (Thread)
martling From: martling Date: March 8th, 2005 12:11 am (UTC) (Link)
Based on that, I think you need to know:

- The public IP address on your internet connection.
- The IP address of the Mac with the iSight on.

And then do once for each port number (5060 and from 16384 to 16403):

ipmasqadm portfw -a -P udp -L -R
(Reply) (Parent) (Thread)
martling From: martling Date: March 8th, 2005 12:14 am (UTC) (Link)
Which might make more sense on the web if I wrote it:

ipmasqadm portfw -a -P udp -L <public IP> <port> -R <mac IP>
(Reply) (Parent) (Thread)
j4 From: j4 Date: March 8th, 2005 01:21 pm (UTC) (Link)
This looks eminently cut-and-pasteable -- thank you! :-) I'll give it a try tonight...
(Reply) (Parent) (Thread)
j4 From: j4 Date: March 8th, 2005 07:50 pm (UTC) (Link)
fire:/etc/init.d# ipmasqadm portfw -a -P udp -L 213.104.13.73 5060 -R 172.19.244.11
portfw: illegal destination specified

Um... any suggestions?
(Reply) (Parent) (Thread)
j4 From: j4 Date: March 8th, 2005 08:02 pm (UTC) (Link)
Ah. After further prodding, sion_a says a) we don't have the ip_portfw kernel module, and b) it might be time for a kernel upgrade...

Thanks for your help anyway, hopefully we'll be able to use your magic runes when the, um, *waves hands* innards are sorted out. :-)
(Reply) (Parent) (Thread)
martling From: martling Date: March 9th, 2005 01:44 am (UTC) (Link)
Ah, okay. I think the quickest route would be to add in that module, but if sion_a wants to upgrade things anyway then it'll all go to iptables instead. In which case what you'll want will look more like:

iptables -t nat -A PREROUTING -p udp --dport 5060 -d 213.104.13.73 -j DNAT --to-destination 172.19.244.11

Also, IJLTS badgers again for no particular reason.

BADGERS.
(Reply) (Parent) (Thread)
sion_a From: sion_a Date: March 9th, 2005 12:44 pm (UTC) (Link)
After further further prodding while slightly more awake, it turns out that the portfw module and friends are available, just very well hidden, and it just needs a recompile of the existing kernel. Which is going on as I type.
(Reply) (Parent) (Thread)
Comment by Kaet
From: kaet Date: March 7th, 2005 11:57 pm (UTC) (Link)
I'm afraid I have no idea with ipchains. I am a wuss, and use a thing in a box that you configure with a web browser, :(.
(Reply) (Thread)
Thread started by Sion
sion_a From: sion_a Date: March 8th, 2005 01:00 am (UTC) (Link)
Looking at the firewall logs, I think it should be easily possible to set things up to allow you to establish a connection using the same trick that the internal name and time servers do. Assuming the other end port-forwards sensibly. Ugh, I really should have gone to sleep an hour ago instead of looking into this.
(Reply) (Thread)
j4 From: j4 Date: March 8th, 2005 01:22 pm (UTC) (Link)
Does that mean martling's solution isn't what we need? It looked like the sort of thing we were groping towards (and failing to find!) last night...
(Reply) (Parent) (Thread)
sion_a From: sion_a Date: March 8th, 2005 01:59 pm (UTC) (Link)
Not knowing how the iChat protocol works (in particular, where it gets its ip addresses from), I'm guessing martling's solution will allow connections to be made to you whereas I'm looking at how a connection could be established from you. So we may need both.
(Reply) (Parent) (Thread)
martling From: martling Date: March 8th, 2005 03:04 pm (UTC) (Link)
I'm not sure you need to do anything for traffic initiated in the other direction, since you're already allowing and masquerading things outbound from badgers.
(Reply) (Parent) (Thread)
sion_a From: sion_a Date: March 8th, 2005 03:31 pm (UTC) (Link)
Yes, but it won't in general allow udp packets back onto the internal network (there are specific exceptions for the name and time servers—I'm talking about making iChat a specific exception too).
(Reply) (Parent) (Thread)
j4 From: j4 Date: March 8th, 2005 08:02 pm (UTC) (Link)
IHNJ, IJLS "outbound from badgers" :-)
(Reply) (Parent) (Thread)
aardvark179 From: aardvark179 Date: March 9th, 2005 01:08 am (UTC) (Link)
You'd be best off upgrading the kernel to iptables. The important thing to watch for is that the firewall should not change the source port of outgoing UDP packets, and I don't think ipchains guarantees to preserve this, and I think iptables will, but have a check.

Also worth looking at this which lists the main ports to do with the iChat protocols and has a couple of links to the nitty gritty stuff.
(Reply) (Parent) (Thread)
sion_a From: sion_a Date: March 9th, 2005 10:23 am (UTC) (Link)
Actually, having (another) look at that, and a bit more digging around, it appears that the summary solution is "What you're trying to do is fundamentally impossible, because Linux firewalls don't know how to handle SIP."
(Reply) (Parent) (Thread)
j4 From: j4 Date: March 9th, 2005 11:08 am (UTC) (Link)
So I can't actually use my iSight at all? :-(
(Reply) (Parent) (Thread)
sion_a From: sion_a Date: March 9th, 2005 11:42 am (UTC) (Link)
The port forwarding stuff might work. I don't know. My brain is full of work stress, and isn't up to trying to second guess undocumented protocols.
(Reply) (Parent) (Thread)
Read 20 | Write
Time present
Janet
User: j4
Name: Janet
Time past
Back November 2016
12345
6789101112
13141516171819
20212223242526
27282930
Where the dance is
Sometimes in life you've got to dance like nobody's watching. This is the dancefloor.

No, I don't know this song either. But it's got a good beat, and I've got my dancing shoes.
page summary
tags