MSN Messenger Behind a NATting IPtables Firewall
This is a discussion on MSN Messenger Behind a NATting IPtables Firewall within the Linux Security forums, part of the System Security and Security Related category; I have a Linux IPtables firewall protecting my LAN. I am having all sorts of problems with MSN Messenger. In ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-17-2004
|
|||
|
|||
MSN Messenger Behind a NATting IPtables Firewall
I have a Linux IPtables firewall protecting my LAN. I am having all sorts of
problems with MSN Messenger. In particular - getting LDAP lists of all people on line, etc. I also am having trouble with audio or video. Is there a definitive article on the subject? I apologize to the group for using a Micro$oft product (such as MSN Messenger)... TIA. Lavie 
|
|
01-17-2004
|
|||
|
|||
|
Re: MSN Messenger Behind a NATting IPtables Firewall
Meron Lavie wrote:
> I have a Linux IPtables firewall protecting my LAN. I am having all sorts > of problems with MSN Messenger. In particular - getting LDAP lists of all > people on line, etc. I also am having trouble with audio or video. > > Is there a definitive article on the subject? > > I apologize to the group for using a Micro$oft product (such as MSN > Messenger)... > > TIA. > > Lavie It depends on how your firewall is set up. Are you just blocking/allowing ports, or is this a stateful machine thing? MSN Messenger logs in over 443 (http), and 1863. It uses 6891-6900 port range for messaging. Also, for video conferencing, I believe it needs access to random dynamic (1024-65535) ports via udp. Also, please don't call them Micro$oft / Winblows, etc. It's unprofessional coming from someone who chose an alternative to Microsoft Windows. -- I fell asleep reading a dull book, and I dreamt that I was reading on, so I woke up from sheer boredom.
|
|
01-17-2004
|
|||
|
|||
|
Re: MSN Messenger Behind a NATting IPtables Firewall
"NeoSadist" <neosad1st@charter.net> wrote in message news:100inflnfh71m96@corp.supernews.com... > Meron Lavie wrote: > > > I have a Linux IPtables firewall protecting my LAN. I am having all sorts > > of problems with MSN Messenger. In particular - getting LDAP lists of all > > people on line, etc. I also am having trouble with audio or video. > > > > Is there a definitive article on the subject? > > > > I apologize to the group for using a Micro$oft product (such as MSN > > Messenger)... > > > > TIA. > > > > Lavie > > It depends on how your firewall is set up. Are you just blocking/allowing > ports, or is this a stateful machine thing? > MSN Messenger logs in over 443 (http), and 1863. It uses 6891-6900 port > range for messaging. Also, for video conferencing, I believe it needs > access to random dynamic (1024-65535) ports via udp. > Also, please don't call them Micro$oft / Winblows, etc. It's unprofessional > coming from someone who chose an alternative to Microsoft Windows. > > -- > I fell asleep reading a dull book, and I dreamt that I was reading on, > so I woke up from sheer boredom. > OK - I apologize for the MSFT quip. My iptables knowledge is not great. By stateful, do you mean if I have the following in my firewall?: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT because I do. From reading some sites on the web, it would ssem that I also need to supply IGP/UPnP support for iptables, but the solutions I found for this seem so complicated to install that Linus himself couldn't get it up and running. Any ideas?
|
|
01-17-2004
|
|||
|
|||
|
Re: MSN Messenger Behind a NATting IPtables Firewall
Meron Lavie wrote:
> OK - I apologize for the MSFT quip. > > My iptables knowledge is not great. By stateful, do you mean if I have the > following in my firewall?: Usually stateful works like this (for non-icmp stuff): iptables -A INPUT -i eth0 -p ! icmp -m state \ --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -p ! icmp -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT (the \ means that the next line continues the command) I.e. the generally accepted stateful setup is to allow only new connections outbound, but established (i.e. we started the connection) and related (i.e. related to something we started) are ok both incoming and outgoing. What I meant was that if you're only doing that, and not filtering the ports themselves, you should be fine. Port-filtering firewalls are different than stateful firewalls. Port-filtering assumes that only good traffic comes in and goes out on certain ports, so it filters based on the port #. Stateful filters based on the (abstract) state of the connection, which can be better, or at least simpler, for home users. I prefer a combination of the two, but what I was asking is if you're filtering based on the port or on the state. A port filtering firewall would look more like this: # HTTP: iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT # DNS: iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT itpables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Why are you using forward? Does this box act as a router/firewall? > > because I do. > > From reading some sites on the web, it would ssem that I also need to > supply IGP/UPnP support for iptables, but the solutions I found for this > seem so complicated to install that Linus himself couldn't get it up and > running. IGMP? I don't allow that protocol at all, and I usually block it for security reasons. UPnP? I also don't use that for security reasons, and the fact that I absolutely hate WinXP. > > Any ideas? Uh, yeah, tell me what you're wanting to do with the firewall and where how this machine is being used, and your progress so far. -- Tomorrow, you can be anywhere.
|
Linear Mode
