Solved

newbie at ipmasqadm and autofw

Posted on 2000-05-14
19
350 Views
Last Modified: 2010-04-20
I'm trying to implement this and it doesn't seem to be working.  Below is the excerpt from the website.
"For actual voice conversations, which are done peer-to-peer, you will need to open up the following ports through your firewall: a) TCP: 1035 b) UDP: 1034 "...

I tried to implement as below:
ipmasqadm -A -v -u -r udp 1034 1034 -c tcp 7175
ipmasqadm -A -v -u -r tcp 1035 1034 -c tcp 7175

does this seem right?  When I try it, in/out traffic does not occur.

0
Comment
Question by:ivanh
  • 8
  • 6
  • 3
  • +2
19 Comments
 
LVL 1

Expert Comment

by:Cook
ID: 2809525
You could do this using ipchains-rules. Ipchains allow u to setup a rather good packet-filtering firewall. I'd recommend Robert Ziegler's site (and book "Linux Firewalls", New Riders) More info on: http://linux-firewall-tools.com/linux/ Succes!
0
 
LVL 1

Author Comment

by:ivanh
ID: 2819389
Actually, I was hoping for more of an
answer vs. a direction. I have tried a few other things, but doesn't seems to work.  I know I'm probably missing something simple, but just not seeing it.
0
 
LVL 2

Expert Comment

by:ksemat
ID: 2829133
I really think you should try to implement that using ipchains to allow
connections through those ports that you have specified if you don't know how then I will try and show you how.
0
 

Expert Comment

by:Debber
ID: 2830685
1: download and install IP-masquerading and IP-chains modules.
2: enable IP-forwarding (you could add this to etc/rc.d/rc.local).
3: apply ipchains-rules (as explained in howto and link above). I would deny everything as default. Just allow the packages per protocol per port you really need.
0
 
LVL 1

Author Comment

by:ivanh
ID: 2831386
ksemat:  That would be great!

Debber:
I already have the above installed and working.  I just cannot seem to hear the audio coming backing.
0
 
LVL 2

Accepted Solution

by:
tzanger earned 300 total points
ID: 2834196
If I'm not mistaken, ipmasqadm requires you to specify a module (autofw or portfw, autofw in this case) before you can tell it what you want to do.

i.e.
ipmasqadm autofw -A -v -u -r udp 1034 1034 -c tcp 7175

would open up udp 1034 once tcp 7175 were hit.  (why you have -u in there *and* specify a control port I don't know).  Unfortunately you don't specify which computer on the inside will get the packet so I doubt anything will work.

(example scenario: firewall is 192.168.1.1 and the box you want the ports to go to is 192.168.1.77)

ipmasqadm autofw -A -r udp 1034 1034 -c tcp 7175 -h 192.168.1.77

will transfer udp port 1034 connects to the firewall (the computer with the real IP) to the internal host when tcp port 7175 is hit.  You can add a -u if you don't want to make sure that tcp port 7175 is hit before it allows date on udp 1034 to pass through.  I would leave the -u in there and see if it works.  If so, remove the -u to see if you can tighten up the firewall a little (not necessary though)
0
 
LVL 2

Expert Comment

by:ksemat
ID: 2834509
If you have ipchains and ip forwarding enabled then use something like
/sbin/ipchains -A input tcp  -s 0/0 -d eth1 1035 -j ACCEPT
/sbin/ipchains -A input udp  -s 0/0 -d eth1 1034 -j ACCEPT
then you can set the default input policy to deny and the default output to accept.
I am assuming that eth1 is your external interface.
I hope you know how to flush rulesets. If not just post a comment and I will answer also if you doon't know how to set the defaultpolicy I will be glad to help.
0
 
LVL 1

Author Comment

by:ivanh
ID: 2858195
Adjusted points from 100 to 250
0
 
LVL 1

Author Comment

by:ivanh
ID: 2858196
Sorry, for not responding.  Because of my lack of response, I increased points to 250.  Below is a clip from the doc I'm trying to get an answer.

"Local High port (ex. 3325) -> TCP 12053
Local High port (ex. 3325) <- TCP 12053
 
Local High port (ex. 3328) -> TCP 12083
Local High port (ex. 3328) <- TCP 12083
 
UDP 12122, 24150 - 24179 <- -> UDP 12122, 24150 - 24179
 
UDP 12120 <- -> UDP 12080 "...
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 2

Expert Comment

by:tzanger
ID: 2858263
I'm not quite sure what you're getting at with the reditection of TCP 3325 -> 12053 and TCP 3328 -> 12083...  Your original question doesn't seem to make much sense in light of this new data... could you give the app and perhaps what it is precisely you want done?
0
 
LVL 2

Expert Comment

by:ksemat
ID: 2859113
First try to pull down your firewall and see whether you will get the audio in if you do then we know the problem is with the firewall in that case insert the chains one by one and checking whether it works until it stops then you will know which rule is causing problems. Then from there we can help you sort out that rule so that it does what it should do without knocking out your audio.
0
 
LVL 1

Author Comment

by:ivanh
ID: 2859394
Adjusted points from 250 to 300
0
 
LVL 1

Author Comment

by:ivanh
ID: 2859395
I really appologize for all the confusion.  I originally was trying to get an application call 'phonefree' working.  After playing with it, I decided that I didn't like it (before I was able to get it working).  So I found deltathree's Pc-to-Phone.  The data above is from their documentation on how to configure the firewall to let the traffic through.  It was confusing to me.  I don't understand what a local high port is....etc.  I increased by another 50 for my stupidity.
0
 
LVL 2

Expert Comment

by:ksemat
ID: 2862077
A high port is opened up to allow sockets created by connecions allowed by ipchains.
Please try out what I said so that we can concetrate on where the source of the problem is after you've identified it.I also wonder do you have a firewall?
Because if you're using ipchains and you have a firewall how did you set it up if you don't know what high ports are?
Also what is this phonefree and pc-to-phone supposed to do?
that may make things a little clearer.
0
 
LVL 1

Author Comment

by:ivanh
ID: 2865944
Okay, I'll try that and get back to you.
To answer your other two questions:
1.  I'm a newbie at Linux and found a firewall script on a linux site that uses ipchains and have been trying to hack away at it (trying different things) to learn.
2.  They are internet pc-to-telephone programs.  www.deltathree.com.
0
 
LVL 2

Expert Comment

by:ksemat
ID: 2868274
Be carefull about firewall scripts you pick up on the net people sometimes put bugs inthem that instead open up your system to them.
But try the script from http://firewall.langistix.com and hack it to include a line for the ports specified in your manual I learn't a lot from that script I think just emulate their syntax and add similar lines in the services section.Good luck.
0
 
LVL 2

Expert Comment

by:tzanger
ID: 2871409
oh please.

Unless you're talking about huge bash scripts like trinityos (blech), firewall rules are very simple and casual observation can tell you what they're doing and if you want what they're doing.

it *sounds* like what ivanh is looking for is a couple lines of with autofw but without actually doing it myself I can't say what they'd be.  :-)
0
 
LVL 1

Author Comment

by:ivanh
ID: 2872709
What I was hoping to get out of this was just a few lines that I could cut and paste.
0
 
LVL 2

Expert Comment

by:ksemat
ID: 2872821
Okay have you tried what I suggested?
Anyway since you have an answer then it seems that you have your problem solved I really don't recommend cut and paste without understanding what you're really doing sometimes people really want to help but can end up giving you a solution that leaves your system wide open.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Currently, there is not an RPM package available under the RHEL/Fedora/CentOS distributions that gives you a quick and easy way to allow PHP to interface with Oracle. As a result, I have included a set of instructions on how to do this with minimal …
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now