MSN Messenger Behind a NATting IPtables Firewall

MSN Messenger Behind a NATting IPtables Firewall

Post by Meron Lavi » Sun, 18 Jan 2004 20:55:42



I have a Linux IPtables firewall protecting my LAN. I am having all sorts of
problems with MSN Messenger. In particular - getting LDAP lists of all
people on line, etc. I also am having trouble with audio or video.

Is there a definitive article on the subject?

I apologize to the group for using a Micro$oft product (such as MSN
Messenger)...

TIA.

Lavie

 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by NeoSadis » Mon, 19 Jan 2004 01:08:20



> I have a Linux IPtables firewall protecting my LAN. I am having all sorts
> of problems with MSN Messenger. In particular - getting LDAP lists of all
> people on line, etc. I also am having trouble with audio or video.

> Is there a definitive article on the subject?

> I apologize to the group for using a Micro$oft product (such as MSN
> Messenger)...

> TIA.

> Lavie

It depends on how your firewall is set up.  Are you just blocking/allowing
ports, or is this a stateful machine thing?
MSN Messenger logs in over 443 (http), and 1863.  It uses 6891-6900 port
range for messaging.  Also, for video conferencing, I believe it needs
access to random dynamic (1024-65535) ports via udp.
Also, please don't call them Micro$oft / Winblows, etc.  It's unprofessional
coming from someone who chose an alternative to Microsoft Windows.

--
I fell asleep reading a dull book, and I dreamt that I was reading on,
so I woke up from sheer boredom.

 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by Meron Lavi » Mon, 19 Jan 2004 02:08:46




> > I have a Linux IPtables firewall protecting my LAN. I am having all
sorts
> > of problems with MSN Messenger. In particular - getting LDAP lists of
all
> > people on line, etc. I also am having trouble with audio or video.

> > Is there a definitive article on the subject?

> > I apologize to the group for using a Micro$oft product (such as MSN
> > Messenger)...

> > TIA.

> > Lavie

> It depends on how your firewall is set up.  Are you just blocking/allowing
> ports, or is this a stateful machine thing?
> MSN Messenger logs in over 443 (http), and 1863.  It uses 6891-6900 port
> range for messaging.  Also, for video conferencing, I believe it needs
> access to random dynamic (1024-65535) ports via udp.
> Also, please don't call them Micro$oft / Winblows, etc.  It's
unprofessional
> coming from someone who chose an alternative to Microsoft Windows.

OK - I apologize for the MSFT quip.

My iptables knowledge is not great. By stateful, do you mean if I have the
following in my firewall?:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

because I do

Regarding the emphemeral ports 1024-65535: I only alow.

 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by Meron Lavi » Mon, 19 Jan 2004 02:14:21




> > I have a Linux IPtables firewall protecting my LAN. I am having all
sorts
> > of problems with MSN Messenger. In particular - getting LDAP lists of
all
> > people on line, etc. I also am having trouble with audio or video.

> > Is there a definitive article on the subject?

> > I apologize to the group for using a Micro$oft product (such as MSN
> > Messenger)...

> > TIA.

> > Lavie

> It depends on how your firewall is set up.  Are you just blocking/allowing
> ports, or is this a stateful machine thing?
> MSN Messenger logs in over 443 (http), and 1863.  It uses 6891-6900 port
> range for messaging.  Also, for video conferencing, I believe it needs
> access to random dynamic (1024-65535) ports via udp.
> Also, please don't call them Micro$oft / Winblows, etc.  It's
unprofessional
> coming from someone who chose an alternative to Microsoft Windows.

> --
> I fell asleep reading a dull book, and I dreamt that I was reading on,
> so I woke up from sheer boredom.

OK - I apologize for the MSFT quip.

My iptables knowledge is not great. By stateful, do you mean if I have the
following in my firewall?:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

because I do.

From reading some sites on the web, it would ssem that I also need to supply
IGP/UPnP support for iptables, but the solutions I found for this seem so
complicated to install that Linus himself couldn't get it up and running.

Any ideas?

 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by NeoSadis » Mon, 19 Jan 2004 07:28:31



> OK - I apologize for the MSFT quip.

> My iptables knowledge is not great. By stateful, do you mean if I have the
> following in my firewall?:

Usually stateful works like this (for non-icmp stuff):
iptables -A INPUT -i eth0 -p ! icmp -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p ! icmp -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT

(the \ means that the next line continues the command)

I.e. the generally accepted stateful setup is to allow only new connections
outbound, but established (i.e. we started the connection) and related
(i.e. related to something we started) are ok both incoming and outgoing.

What I meant was that if you're only doing that, and not filtering the ports
themselves, you should be fine.  Port-filtering firewalls are different
than stateful firewalls.  Port-filtering assumes that only good traffic
comes in and goes out on certain ports, so it filters based on the port #.
Stateful filters based on the (abstract) state of the connection, which can
be better, or at least simpler, for home users.  I prefer a combination of
the two, but what I was asking is if you're filtering based on the port or
on the state.

A port filtering firewall would look more like this:
# HTTP:
iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
# DNS:
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
itpables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT

Quote:

> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Why are you using forward?  Does this box act as a router/firewall?

Quote:

> because I do.

> From reading some sites on the web, it would ssem that I also need to
> supply IGP/UPnP support for iptables, but the solutions I found for this
> seem so complicated to install that Linus himself couldn't get it up and
> running.

IGMP? I don't allow that protocol at all, and I usually block it for
security reasons.
UPnP? I also don't use that for security reasons, and the fact that I
absolutely hate WinXP.

Quote:

> Any ideas?

Uh, yeah, tell me what you're wanting to do with the firewall and where how
this machine is being used, and your progress so far.

--
Tomorrow, you can be anywhere.

 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by Walter Mautne » Tue, 20 Jan 2004 04:44:47




.....
>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

> Why are you using forward?  Does this box act as a router/firewall?

>> because I do.

Obviously the OP is. I don't assume he runs MSN Messenger on the linux
iptable-firewall (though it might be worth a try from within WINE). Running
it on a vmware virtual machine counts as "behind the firewall", because of
the usual bridging/NAT setup.
--
Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
 to remove offending incompatible products.  Reactivate your MS software
 (3 days grace period). [LinuxCounter#295241]
 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by Dr. Chandr » Thu, 22 Jan 2004 10:30:28




>> OK - I apologize for the MSFT quip.

>> My iptables knowledge is not great. By stateful, do you mean if I have
>> the following in my firewall?:

> Usually stateful works like this (for non-icmp stuff): iptables -A INPUT
> -i eth0 -p ! icmp -m state \ --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -p ! icmp -m state \ --state
> NEW,ESTABLISHED,RELATED -j ACCEPT

> (the \ means that the next line continues the command)

> I.e. the generally accepted stateful setup is to allow only new
> connections outbound, but established (i.e. we started the connection) and
> related (i.e. related to something we started) are ok both incoming and
> outgoing.

Hi,

By coincidence i've been trying to get msn-clients connecting to
msn-server for some time now. Works flawless with linux msn-clients but
(ahum) native msn-clients disconnect. Also reports MSNP8 instead of MSNP9,
truly odd.

What i did was install hlfl and write some really simple script, then
compile the rules, this in combination with reaim should have done the
trick. But i fumbled.

Quote:> What I meant was that if you're only doing that, and not filtering the
> ports themselves, you should be fine.  Port-filtering firewalls are
> different than stateful firewalls.  Port-filtering assumes that only good
> traffic comes in and goes out on certain ports, so it filters based on the
> port #. Stateful filters based on the (abstract) state of the connection,
> which can be better, or at least simpler, for home users.  I prefer a
> combination of the two, but what I was asking is if you're filtering based
> on the port or on the state.

> A port filtering firewall would look more like this: # HTTP:
> iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT
> -o eth0 -p tcp --dport 80 -j ACCEPT # DNS:
> iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT itpables -A OUTPUT
> -o eth0 -p udp --dport 53 -j ACCEPT

If you plan on using reaim you can just copy the rules from the
documentation, they're made for nat ...

- Show quoted text -

Quote:

>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

> Why are you using forward?  Does this box act as a router/firewall?

>> because I do.

>> From reading some sites on the web, it would ssem that I also need to
>> supply IGP/UPnP support for iptables, but the solutions I found for this
>> seem so complicated to install that Linus himself couldn't get it up and
>> running.

> IGMP? I don't allow that protocol at all, and I usually block it for
> security reasons.
> UPnP? I also don't use that for security reasons, and the fact that I

I've just downloaded the linux-igd wich is the michievous attempt at
getting ms-ics / upnp to linux ... since i can't get reaim/iptables to do
what it should.

Quote:> absolutely hate WinXP.

I am not alone then ?

Pfew, there's something about it that's just ... piculiar, too piculiar.

Quote:

>> Any ideas?

> Uh, yeah, tell me what you're wanting to do with the firewall and where
> how this machine is being used, and your progress so far.

I'm willing to post my configs, just in case.
Maybe  we can work this issue together ?

--
Best Regards,

 Dr. Chandra

 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by Harol » Fri, 23 Jan 2004 07:47:59


I'm using  a straight /usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j
MASQUERADE

for setting up router and nat functionality.

within MSN (on Win2000 and XP machines behind the linux) everything works
(including video) excepts the audio functionality. uPnP didn't seem to make
a big difference and you lost me with your story about stateful work, I miss
the experience to see the rationality why this would solve the issues with
MSN. I'm very interested though to get this working...





> >> OK - I apologize for the MSFT quip.

> >> My iptables knowledge is not great. By stateful, do you mean if I have
> >> the following in my firewall?:

> > Usually stateful works like this (for non-icmp stuff): iptables -A INPUT
> > -i eth0 -p ! icmp -m state \ --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A OUTPUT -o eth0 -p ! icmp -m state \ --state
> > NEW,ESTABLISHED,RELATED -j ACCEPT

> > (the \ means that the next line continues the command)

> > I.e. the generally accepted stateful setup is to allow only new
> > connections outbound, but established (i.e. we started the connection)
and
> > related (i.e. related to something we started) are ok both incoming and
> > outgoing.

> Hi,

> By coincidence i've been trying to get msn-clients connecting to
> msn-server for some time now. Works flawless with linux msn-clients but
> (ahum) native msn-clients disconnect. Also reports MSNP8 instead of MSNP9,
> truly odd.

> What i did was install hlfl and write some really simple script, then
> compile the rules, this in combination with reaim should have done the
> trick. But i fumbled.

> > What I meant was that if you're only doing that, and not filtering the
> > ports themselves, you should be fine.  Port-filtering firewalls are
> > different than stateful firewalls.  Port-filtering assumes that only
good
> > traffic comes in and goes out on certain ports, so it filters based on
the
> > port #. Stateful filters based on the (abstract) state of the
connection,
> > which can be better, or at least simpler, for home users.  I prefer a
> > combination of the two, but what I was asking is if you're filtering
based
> > on the port or on the state.

> > A port filtering firewall would look more like this: # HTTP:
> > iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT
> > -o eth0 -p tcp --dport 80 -j ACCEPT # DNS:
> > iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT itpables -A OUTPUT
> > -o eth0 -p udp --dport 53 -j ACCEPT

> If you plan on using reaim you can just copy the rules from the
> documentation, they're made for nat ...

> >> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

> > Why are you using forward?  Does this box act as a router/firewall?

> >> because I do.

> >> From reading some sites on the web, it would ssem that I also need to
> >> supply IGP/UPnP support for iptables, but the solutions I found for
this
> >> seem so complicated to install that Linus himself couldn't get it up
and
> >> running.

> > IGMP? I don't allow that protocol at all, and I usually block it for
> > security reasons.
> > UPnP? I also don't use that for security reasons, and the fact that I

> I've just downloaded the linux-igd wich is the michievous attempt at
> getting ms-ics / upnp to linux ... since i can't get reaim/iptables to do
> what it should.

> > absolutely hate WinXP.

> I am not alone then ?

> Pfew, there's something about it that's just ... piculiar, too piculiar.

> >> Any ideas?

> > Uh, yeah, tell me what you're wanting to do with the firewall and where
> > how this machine is being used, and your progress so far.

> I'm willing to post my configs, just in case.
> Maybe  we can work this issue together ?

> --
> Best Regards,

>  Dr. Chandra

 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by Dr. Chandr » Sat, 24 Jan 2004 00:51:19



> I'm using  a straight /usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j
> MASQUERADE

> for setting up router and nat functionality.

i only added my subnet mask to that line .... -s 192.168.5.0/24

Quote:> within MSN (on Win2000 and XP machines behind the linux) everything works
> (including video) excepts the audio functionality. uPnP didn't seem to

Connecting is not the issue, staying connected is. For some reason there
are irregularly timed disconnects. NO way of tracing what end fo the
connection (lan/fw) they're comming from.

Quote:> make a big difference and you lost me with your story about stateful work,
> I miss the experience to see the rationality why this would solve the
> issues with MSN. I'm very interested though to get this working...

i don't quite understand what you're ssaying here.





>> >> OK - I apologize for the MSFT quip.

>> >> My iptables knowledge is not great. By stateful, do you mean if I
>> >> have the following in my firewall?:

>> > Usually stateful works like this (for non-icmp stuff): iptables -A
>> > INPUT -i eth0 -p ! icmp -m state \ --state ESTABLISHED,RELATED -j
>> > ACCEPT iptables -A OUTPUT -o eth0 -p ! icmp -m state \ --state
>> > NEW,ESTABLISHED,RELATED -j ACCEPT

>> > (the \ means that the next line continues the command)

>> > I.e. the generally accepted stateful setup is to allow only new
>> > connections outbound, but established (i.e. we started the connection)
> and
>> > related (i.e. related to something we started) are ok both incoming
>> > and outgoing.

>> Hi,

>> By coincidence i've been trying to get msn-clients connecting to
>> msn-server for some time now. Works flawless with linux msn-clients but
>> (ahum) native msn-clients disconnect. Also reports MSNP8 instead of
>> MSNP9, truly odd.

>> What i did was install hlfl and write some really simple script, then
>> compile the rules, this in combination with reaim should have done the
>> trick. But i fumbled.

>> > What I meant was that if you're only doing that, and not filtering the
>> > ports themselves, you should be fine.  Port-filtering firewalls are
>> > different than stateful firewalls.  Port-filtering assumes that only
> good
>> > traffic comes in and goes out on certain ports, so it filters based on
> the
>> > port #. Stateful filters based on the (abstract) state of the
> connection,
>> > which can be better, or at least simpler, for home users.  I prefer a
>> > combination of the two, but what I was asking is if you're filtering
> based
>> > on the port or on the state.

>> > A port filtering firewall would look more like this: # HTTP: iptables
>> > -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT -o
>> > eth0 -p tcp --dport 80 -j ACCEPT # DNS: iptables -A INPUT -i eth0 -p
>> > udp --sport 53 -j ACCEPT itpables -A OUTPUT -o eth0 -p udp --dport 53
>> > -j ACCEPT

>> If you plan on using reaim you can just copy the rules from the
>> documentation, they're made for nat ...

>> >> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

>> > Why are you using forward?  Does this box act as a router/firewall?

>> >> because I do.

>> >> From reading some sites on the web, it would ssem that I also need to
>> >> supply IGP/UPnP support for iptables, but the solutions I found for
> this
>> >> seem so complicated to install that Linus himself couldn't get it up
> and
>> >> running.

>> > IGMP? I don't allow that protocol at all, and I usually block it for
>> > security reasons.
>> > UPnP? I also don't use that for security reasons, and the fact that I

>> I've just downloaded the linux-igd wich is the michievous attempt at
>> getting ms-ics / upnp to linux ... since i can't get reaim/iptables to
>> do what it should.

>> > absolutely hate WinXP.

>> I am not alone then ?

>> Pfew, there's something about it that's just ... piculiar, too piculiar.

>> >> Any ideas?

>> > Uh, yeah, tell me what you're wanting to do with the firewall and
>> > where how this machine is being used, and your progress so far.

>> I'm willing to post my configs, just in case. Maybe  we can work this
>> issue together ?

>> --
>> Best Regards,

>>  Dr. Chandra

--
Best Regards,

 Dr. Chandra

 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by alvi » Sat, 24 Jan 2004 18:04:28


are you trying to do audio and * on msn messenger??
if so, messenger has lots of problems when trying to do that behind a LAN
or NAT. if you want an easy solution, download ENAT (free trial version).

or use skype instead of MSN for audio conversations. can go through most
typical NAT and firewall configs.

by the way. i am assuming that u are using MSN messenger on windows yea?
if u got a version that can do audio on linux, please pass me the site
where you got it from please. i would love to find some VoIP stuff that
works on linux apart from gnome-meetin

alvin

 
 
 

MSN Messenger Behind a NATting IPtables Firewall

Post by Erik » Mon, 26 Jan 2004 22:48:03


On Sat, 17 Jan 2004 09:08:20 -0700, the right honourable Neo*



>> I have a Linux IPtables firewall protecting my LAN. I am having all sorts
>> of problems with MSN Messenger. In particular - getting LDAP lists of all
>> people on line, etc. I also am having trouble with audio or video.

>> Is there a definitive article on the subject?

>> I apologize to the group for using a Micro$oft product (such as MSN
>> Messenger)...

>> TIA.

>> Lavie

>It depends on how your firewall is set up.  Are you just blocking/allowing
>ports, or is this a stateful machine thing?
>MSN Messenger logs in over 443 (http), and 1863.  It uses 6891-6900 port
>range for messaging.  Also, for video conferencing, I believe it needs
>access to random dynamic (1024-65535) ports via udp.
>Also, please don't call them Micro$oft / Winblows, etc.  It's unprofessional
>coming from someone who chose an alternative to Microsoft Windows.

and for remote assistance it uses 3389...

frgr
Erik

 
 
 

1. MSN messenger behind Firewall+NAT

I have a Linux box with a Firewall and behind windows clients aiming to use
MSN messenger, I am using NAT so the LAN has private IP's, I just want to
allow the instant messaging services, I don't care by now about the file and
video/voice transfers.

Which rules should I configure in the Firewall ?
I checked a Windows XP SP2 firewall configured to let MSN messenger go
through and it was allowing the following ports:

TCP->8653 and UDP->8661

I tried with these ports and it didn't work, I cheked in the Internet and I
found out that instant messaging uses 1863 and TCP, I tried with this but it
didn't work either. So does anybody know which ports to configure and how
(which direction) ?

Thanks a lot !

2. unzip via mail

3. IPTables/NAT & MSN Messenger Voice

4. Linux Firewall

5. MSN Messenger behind IPCHAINS

6. Linux 2.4.17-rc1

7. iptables, NAT, sending mail from machines behind the firewall

8. Red Hat Custom Install Option? (newbie question)

9. How to use MSN messenger+voicechat behind a linuxbox with internet sharing

10. Half life server behind Linux NAT iptables firewall

11. FreeBSD, NAT and MSN Messenger/IRC?

12. NAT & MSN Messenger

13. NAT and MSN Messenger file transfer