... but everywhere he is in ipchains

[j4]

Right. I'm trying to set up my iSight, and it's not working, and this suggests that our home-brewed firewall is the crux of the problem:

To use iChat AV behind a firewall, make sure your network administrator has opened UDP port 5060.

When video conferencing, iChat AV uses four UDP ports in this range: 16384 to 16403.

So anyway, my network administrator is tired & stressed and says port forwarding is complicated. I have bashed my head against the ipchains man page to no avail. Anybody have any hints (or lines I can cut and paste into our firewall)?

TIA...

Comments

[martling.livejournal.com]

Which might make more sense on the web if I wrote it:

ipmasqadm portfw -a -P udp -L <public IP> <port> -R <mac IP>

[j4.livejournal.com]

This looks eminently cut-and-pasteable -- thank you! :-) I'll give it a try tonight...

[j4.livejournal.com]

fire:/etc/init.d# ipmasqadm portfw -a -P udp -L 213.104.13.73 5060 -R 172.19.244.11
portfw: illegal destination specified

Um... any suggestions?

[j4.livejournal.com]

Ah. After further prodding, sion_a says a) we don't have the ip_portfw kernel module, and b) it might be time for a kernel upgrade...

Thanks for your help anyway, hopefully we'll be able to use your magic runes when the, um, *waves hands* innards are sorted out. :-)

[martling.livejournal.com]

Ah, okay. I think the quickest route would be to add in that module, but if sion_a wants to upgrade things anyway then it'll all go to iptables instead. In which case what you'll want will look more like:

iptables -t nat -A PREROUTING -p udp --dport 5060 -d 213.104.13.73 -j DNAT --to-destination 172.19.244.11

Also, IJLTS badgers again for no particular reason.

BADGERS.

[sparrowsion]

After further further prodding while slightly more awake, it turns out that the portfw module and friends are available, just very well hidden, and it just needs a recompile of the existing kernel. Which is going on as I type.