newbie at ipmasqadm and autofw

I'm trying to implement this and it doesn't seem to be working.  Below is the excerpt from the website.
"For actual voice conversations, which are done peer-to-peer, you will need to open up the following ports through your firewall: a) TCP: 1035 b) UDP: 1034 "...

I tried to implement as below:
ipmasqadm -A -v -u -r udp 1034 1034 -c tcp 7175
ipmasqadm -A -v -u -r tcp 1035 1034 -c tcp 7175

does this seem right?  When I try it, in/out traffic does not occur.

LVL 1
ivanhAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
tzangerConnect With a Mentor Commented:
If I'm not mistaken, ipmasqadm requires you to specify a module (autofw or portfw, autofw in this case) before you can tell it what you want to do.

i.e.
ipmasqadm autofw -A -v -u -r udp 1034 1034 -c tcp 7175

would open up udp 1034 once tcp 7175 were hit.  (why you have -u in there *and* specify a control port I don't know).  Unfortunately you don't specify which computer on the inside will get the packet so I doubt anything will work.

(example scenario: firewall is 192.168.1.1 and the box you want the ports to go to is 192.168.1.77)

ipmasqadm autofw -A -r udp 1034 1034 -c tcp 7175 -h 192.168.1.77

will transfer udp port 1034 connects to the firewall (the computer with the real IP) to the internal host when tcp port 7175 is hit.  You can add a -u if you don't want to make sure that tcp port 7175 is hit before it allows date on udp 1034 to pass through.  I would leave the -u in there and see if it works.  If so, remove the -u to see if you can tighten up the firewall a little (not necessary though)
0
 
CookCommented:
You could do this using ipchains-rules. Ipchains allow u to setup a rather good packet-filtering firewall. I'd recommend Robert Ziegler's site (and book "Linux Firewalls", New Riders) More info on: http://linux-firewall-tools.com/linux/ Succes!
0
 
ivanhAuthor Commented:
Actually, I was hoping for more of an
answer vs. a direction. I have tried a few other things, but doesn't seems to work.  I know I'm probably missing something simple, but just not seeing it.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
ksematCommented:
I really think you should try to implement that using ipchains to allow
connections through those ports that you have specified if you don't know how then I will try and show you how.
0
 
DebberCommented:
1: download and install IP-masquerading and IP-chains modules.
2: enable IP-forwarding (you could add this to etc/rc.d/rc.local).
3: apply ipchains-rules (as explained in howto and link above). I would deny everything as default. Just allow the packages per protocol per port you really need.
0
 
ivanhAuthor Commented:
ksemat:  That would be great!

Debber:
I already have the above installed and working.  I just cannot seem to hear the audio coming backing.
0
 
ksematCommented:
If you have ipchains and ip forwarding enabled then use something like
/sbin/ipchains -A input tcp  -s 0/0 -d eth1 1035 -j ACCEPT
/sbin/ipchains -A input udp  -s 0/0 -d eth1 1034 -j ACCEPT
then you can set the default input policy to deny and the default output to accept.
I am assuming that eth1 is your external interface.
I hope you know how to flush rulesets. If not just post a comment and I will answer also if you doon't know how to set the defaultpolicy I will be glad to help.
0
 
ivanhAuthor Commented:
Adjusted points from 100 to 250
0
 
ivanhAuthor Commented:
Sorry, for not responding.  Because of my lack of response, I increased points to 250.  Below is a clip from the doc I'm trying to get an answer.

"Local High port (ex. 3325) -> TCP 12053
Local High port (ex. 3325) <- TCP 12053
 
Local High port (ex. 3328) -> TCP 12083
Local High port (ex. 3328) <- TCP 12083
 
UDP 12122, 24150 - 24179 <- -> UDP 12122, 24150 - 24179
 
UDP 12120 <- -> UDP 12080 "...
0
 
tzangerCommented:
I'm not quite sure what you're getting at with the reditection of TCP 3325 -> 12053 and TCP 3328 -> 12083...  Your original question doesn't seem to make much sense in light of this new data... could you give the app and perhaps what it is precisely you want done?
0
 
ksematCommented:
First try to pull down your firewall and see whether you will get the audio in if you do then we know the problem is with the firewall in that case insert the chains one by one and checking whether it works until it stops then you will know which rule is causing problems. Then from there we can help you sort out that rule so that it does what it should do without knocking out your audio.
0
 
ivanhAuthor Commented:
Adjusted points from 250 to 300
0
 
ivanhAuthor Commented:
I really appologize for all the confusion.  I originally was trying to get an application call 'phonefree' working.  After playing with it, I decided that I didn't like it (before I was able to get it working).  So I found deltathree's Pc-to-Phone.  The data above is from their documentation on how to configure the firewall to let the traffic through.  It was confusing to me.  I don't understand what a local high port is....etc.  I increased by another 50 for my stupidity.
0
 
ksematCommented:
A high port is opened up to allow sockets created by connecions allowed by ipchains.
Please try out what I said so that we can concetrate on where the source of the problem is after you've identified it.I also wonder do you have a firewall?
Because if you're using ipchains and you have a firewall how did you set it up if you don't know what high ports are?
Also what is this phonefree and pc-to-phone supposed to do?
that may make things a little clearer.
0
 
ivanhAuthor Commented:
Okay, I'll try that and get back to you.
To answer your other two questions:
1.  I'm a newbie at Linux and found a firewall script on a linux site that uses ipchains and have been trying to hack away at it (trying different things) to learn.
2.  They are internet pc-to-telephone programs.  www.deltathree.com.
0
 
ksematCommented:
Be carefull about firewall scripts you pick up on the net people sometimes put bugs inthem that instead open up your system to them.
But try the script from http://firewall.langistix.com and hack it to include a line for the ports specified in your manual I learn't a lot from that script I think just emulate their syntax and add similar lines in the services section.Good luck.
0
 
tzangerCommented:
oh please.

Unless you're talking about huge bash scripts like trinityos (blech), firewall rules are very simple and casual observation can tell you what they're doing and if you want what they're doing.

it *sounds* like what ivanh is looking for is a couple lines of with autofw but without actually doing it myself I can't say what they'd be.  :-)
0
 
ivanhAuthor Commented:
What I was hoping to get out of this was just a few lines that I could cut and paste.
0
 
ksematCommented:
Okay have you tried what I suggested?
Anyway since you have an answer then it seems that you have your problem solved I really don't recommend cut and paste without understanding what you're really doing sometimes people really want to help but can end up giving you a solution that leaves your system wide open.
0
All Courses

From novice to tech pro — start learning today.