... but everywhere he is in ipchains

[j4]

Right. I'm trying to set up my iSight, and it's not working, and this suggests that our home-brewed firewall is the crux of the problem:

To use iChat AV behind a firewall, make sure your network administrator has opened UDP port 5060.

When video conferencing, iChat AV uses four UDP ports in this range: 16384 to 16403.

So anyway, my network administrator is tired & stressed and says port forwarding is complicated. I have bashed my head against the ipchains man page to no avail. Anybody have any hints (or lines I can cut and paste into our firewall)?

TIA...

Comments

[kosai.livejournal.com]

I think the correct line's going to depend on how ipchains is set-up at the moment (what the names of your chains are, whether they're default accept or deny, etc), so it might be best if you show us what you've got at the moment, with:

/sbin/ipchains --list

- C.

[imc.livejournal.com]

Port forwarding isn't that complicated if you're using iptables. Sadly I never mastered it on ipchains (I never had to) — I thought ipchains had more or less died out by now.

Assuming your firewall machine is not the same machine that you want to run the chat software on, I believe the command ipmasqadm portfw is involved and I've found a little bit (http://www.ox.compsoc.org.uk/~steve/portfw-2.2.html) of stuff about it.

[martling.livejournal.com]

Based on that, I think you need to know:

- The public IP address on your internet connection.
- The IP address of the Mac with the iSight on.

And then do once for each port number (5060 and from 16384 to 16403):

ipmasqadm portfw -a -P udp -L -R

[martling.livejournal.com]

Which might make more sense on the web if I wrote it:

ipmasqadm portfw -a -P udp -L <public IP> <port> -R <mac IP>

[j4.livejournal.com]

This looks eminently cut-and-pasteable -- thank you! :-) I'll give it a try tonight...

[j4.livejournal.com]

fire:/etc/init.d# ipmasqadm portfw -a -P udp -L 213.104.13.73 5060 -R 172.19.244.11
portfw: illegal destination specified

Um... any suggestions?

[j4.livejournal.com]

Ah. After further prodding, sion_a says a) we don't have the ip_portfw kernel module, and b) it might be time for a kernel upgrade...

Thanks for your help anyway, hopefully we'll be able to use your magic runes when the, um, *waves hands* innards are sorted out. :-)

[martling.livejournal.com]

Ah, okay. I think the quickest route would be to add in that module, but if sion_a wants to upgrade things anyway then it'll all go to iptables instead. In which case what you'll want will look more like:

iptables -t nat -A PREROUTING -p udp --dport 5060 -d 213.104.13.73 -j DNAT --to-destination 172.19.244.11

Also, IJLTS badgers again for no particular reason.

BADGERS.

[sparrowsion]

After further further prodding while slightly more awake, it turns out that the portfw module and friends are available, just very well hidden, and it just needs a recompile of the existing kernel. Which is going on as I type.

[kaet.livejournal.com]

I'm afraid I have no idea with ipchains. I am a wuss, and use a thing in a box that you configure with a web browser, :(.

[sparrowsion]

Looking at the firewall logs, I think it should be easily possible to set things up to allow you to establish a connection using the same trick that the internal name and time servers do. Assuming the other end port-forwards sensibly. Ugh, I really should have gone to sleep an hour ago instead of looking into this.

[j4.livejournal.com]

Does that mean martling's solution isn't what we need? It looked like the sort of thing we were groping towards (and failing to find!) last night...

[sparrowsion]

Not knowing how the iChat protocol works (in particular, where it gets its ip addresses from), I'm guessing martling's solution will allow connections to be made to you whereas I'm looking at how a connection could be established from you. So we may need both.

[martling.livejournal.com]

I'm not sure you need to do anything for traffic initiated in the other direction, since you're already allowing and masquerading things outbound from badgers.

[sparrowsion]

Yes, but it won't in general allow udp packets back onto the internal network (there are specific exceptions for the name and time servers—I'm talking about making iChat a specific exception too).

[j4.livejournal.com]

IHNJ, IJLS "outbound from badgers" :-)

[aardvark179.livejournal.com]

You'd be best off upgrading the kernel to iptables. The important thing to watch for is that the firewall should not change the source port of outgoing UDP packets, and I don't think ipchains guarantees to preserve this, and I think iptables will, but have a check.

Also worth looking at this (http://docs.info.apple.com/article.html?artnum=93208) which lists the main ports to do with the iChat protocols and has a couple of links to the nitty gritty stuff.

[sparrowsion]

Actually, having (another) look at that, and a bit more digging around, it appears that the summary solution is "What you're trying to do is fundamentally impossible, because Linux firewalls don't know how to handle SIP."

[j4.livejournal.com]

So I can't actually use my iSight at all? :-(

[sparrowsion]

The port forwarding stuff might work. I don't know. My brain is full of work stress, and isn't up to trying to second guess undocumented protocols.