MSN Messenger Behind a NATting IPtables Firewall

I have a Linux IPtables firewall protecting my LAN. I am having all sorts of
problems with MSN Messenger. In particular - getting LDAP lists of all
people on line, etc. I also am having trouble with audio or video.

Is there a definitive article on the subject?

I apologize to the group for using a Micro$oft product (such as MSN
Messenger)...

TIA.

Lavie

Meron Lavie wrote:

> I have a Linux IPtables firewall protecting my LAN. I am having all sorts
> of problems with MSN Messenger. In particular - getting LDAP lists of all
> people on line, etc. I also am having trouble with audio or video.
>
> Is there a definitive article on the subject?
>
> I apologize to the group for using a Micro$oft product (such as MSN
> Messenger)...
>
> TIA.
>
> Lavie

It depends on how your firewall is set up. Are you just blocking/allowing
ports, or is this a stateful machine thing?
MSN Messenger logs in over 443 (http), and 1863. It uses 6891-6900 port
range for messaging. Also, for video conferencing, I believe it needs
access to random dynamic (1024-65535) ports via udp.
Also, please don't call them Micro$oft / Winblows, etc. It's unprofessional
coming from someone who chose an alternative to Microsoft Windows.

--
I fell asleep reading a dull book, and I dreamt that I was reading on,
so I woke up from sheer boredom.

"NeoSadist" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Meron Lavie wrote:
>
> > I have a Linux IPtables firewall protecting my LAN. I am having all
sorts
> > of problems with MSN Messenger. In particular - getting LDAP lists of
all
> > people on line, etc. I also am having trouble with audio or video.
> >
> > Is there a definitive article on the subject?
> >
> > I apologize to the group for using a Micro$oft product (such as MSN
> > Messenger)...
> >
> > TIA.
> >
> > Lavie
>
> It depends on how your firewall is set up. Are you just blocking/allowing
> ports, or is this a stateful machine thing?
> MSN Messenger logs in over 443 (http), and 1863. It uses 6891-6900 port
> range for messaging. Also, for video conferencing, I believe it needs
> access to random dynamic (1024-65535) ports via udp.
> Also, please don't call them Micro$oft / Winblows, etc. It's
unprofessional
> coming from someone who chose an alternative to Microsoft Windows.

OK - I apologize for the MSFT quip.

My iptables knowledge is not great. By stateful, do you mean if I have the
following in my firewall?:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

because I do

Regarding the emphemeral ports 1024-65535: I only alow.

"NeoSadist" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Meron Lavie wrote:
>
> > I have a Linux IPtables firewall protecting my LAN. I am having all
sorts
> > of problems with MSN Messenger. In particular - getting LDAP lists of
all
> > people on line, etc. I also am having trouble with audio or video.
> >
> > Is there a definitive article on the subject?
> >
> > I apologize to the group for using a Micro$oft product (such as MSN
> > Messenger)...
> >
> > TIA.
> >
> > Lavie
>
> It depends on how your firewall is set up. Are you just blocking/allowing
> ports, or is this a stateful machine thing?
> MSN Messenger logs in over 443 (http), and 1863. It uses 6891-6900 port
> range for messaging. Also, for video conferencing, I believe it needs
> access to random dynamic (1024-65535) ports via udp.
> Also, please don't call them Micro$oft / Winblows, etc. It's
unprofessional
> coming from someone who chose an alternative to Microsoft Windows.
>
> --
> I fell asleep reading a dull book, and I dreamt that I was reading on,
> so I woke up from sheer boredom.
>

OK - I apologize for the MSFT quip.

My iptables knowledge is not great. By stateful, do you mean if I have the
following in my firewall?:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

because I do.

From reading some sites on the web, it would ssem that I also need to supply
IGP/UPnP support for iptables, but the solutions I found for this seem so
complicated to install that Linus himself couldn't get it up and running.

Any ideas?

Meron Lavie wrote:

> OK - I apologize for the MSFT quip.
>
> My iptables knowledge is not great. By stateful, do you mean if I have the
> following in my firewall?:

Usually stateful works like this (for non-icmp stuff):
iptables -A INPUT -i eth0 -p ! icmp -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -p ! icmp -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT

(the \ means that the next line continues the command)

I.e. the generally accepted stateful setup is to allow only new connections
outbound, but established (i.e. we started the connection) and related
(i.e. related to something we started) are ok both incoming and outgoing.

What I meant was that if you're only doing that, and not filtering the ports
themselves, you should be fine. Port-filtering firewalls are different
than stateful firewalls. Port-filtering assumes that only good traffic
comes in and goes out on certain ports, so it filters based on the port #.
Stateful filters based on the (abstract) state of the connection, which can
be better, or at least simpler, for home users. I prefer a combination of
the two, but what I was asking is if you're filtering based on the port or
on the state.

A port filtering firewall would look more like this:
# HTTP:
iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
# DNS:
iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT
itpables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT

>
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Why are you using forward? Does this box act as a router/firewall?

>
> because I do.
>
> From reading some sites on the web, it would ssem that I also need to
> supply IGP/UPnP support for iptables, but the solutions I found for this
> seem so complicated to install that Linus himself couldn't get it up and
> running.

IGMP? I don't allow that protocol at all, and I usually block it for
security reasons.
UPnP? I also don't use that for security reasons, and the fact that I
absolutely hate WinXP.

>
> Any ideas?

Uh, yeah, tell me what you're wanting to do with the firewall and where how
this machine is being used, and your progress so far.

--
Tomorrow, you can be anywhere.

NeoSadist wrote:

> Meron Lavie wrote:
......
>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Why are you using forward? Does this box act as a router/firewall?
>
>>
>> because I do.
>>
Obviously the OP is. I don't assume he runs MSN Messenger on the linux
iptable-firewall (though it might be worth a try from within WINE). Running
it on a vmware virtual machine counts as "behind the firewall", because of
the usual bridging/NAT setup.
--
Longhorn error#4711: TCPA / NGSCB VIOLATION: Microsoft optical mouse
detected penguin patterns on mousepad. Partition scan in progress
to remove offending incompatible products. Reactivate your MS software
(3 days grace period). [LinuxCounter#295241]

On Sat, 17 Jan 2004 15:28:31 -0700, NeoSadist wrote:

> Meron Lavie wrote:
>
>> OK - I apologize for the MSFT quip.
>>
>> My iptables knowledge is not great. By stateful, do you mean if I have
>> the following in my firewall?:
>
> Usually stateful works like this (for non-icmp stuff): iptables -A INPUT
> -i eth0 -p ! icmp -m state \ --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o eth0 -p ! icmp -m state \ --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> (the \ means that the next line continues the command)
>
> I.e. the generally accepted stateful setup is to allow only new
> connections outbound, but established (i.e. we started the connection) and
> related (i.e. related to something we started) are ok both incoming and
> outgoing.
>

Hi,

By coincidence i've been trying to get msn-clients connecting to
msn-server for some time now. Works flawless with linux msn-clients but
(ahum) native msn-clients disconnect. Also reports MSNP8 instead of MSNP9,
truly odd.

What i did was install hlfl and write some really simple script, then
compile the rules, this in combination with reaim should have done the
trick. But i fumbled.

> What I meant was that if you're only doing that, and not filtering the
> ports themselves, you should be fine. Port-filtering firewalls are
> different than stateful firewalls. Port-filtering assumes that only good
> traffic comes in and goes out on certain ports, so it filters based on the
> port #. Stateful filters based on the (abstract) state of the connection,
> which can be better, or at least simpler, for home users. I prefer a
> combination of the two, but what I was asking is if you're filtering based
> on the port or on the state.
>
> A port filtering firewall would look more like this: # HTTP:
> iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT
> -o eth0 -p tcp --dport 80 -j ACCEPT # DNS:
> iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT itpables -A OUTPUT
> -o eth0 -p udp --dport 53 -j ACCEPT
>

If you plan on using reaim you can just copy the rules from the
documentation, they're made for nat ...
>
>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Why are you using forward? Does this box act as a router/firewall?
>
>
>> because I do.
>>
>> From reading some sites on the web, it would ssem that I also need to
>> supply IGP/UPnP support for iptables, but the solutions I found for this
>> seem so complicated to install that Linus himself couldn't get it up and
>> running.
>
> IGMP? I don't allow that protocol at all, and I usually block it for
> security reasons.
> UPnP? I also don't use that for security reasons, and the fact that I

I've just downloaded the linux-igd wich is the michievous attempt at
getting ms-ics / upnp to linux ... since i can't get reaim/iptables to do
what it should.

> absolutely hate WinXP.
>

I am not alone then ?

Pfew, there's something about it that's just ... piculiar, too piculiar.

>
>> Any ideas?
>
> Uh, yeah, tell me what you're wanting to do with the firewall and where
> how this machine is being used, and your progress so far.

I'm willing to post my configs, just in case.
Maybe we can work this issue together ?

--
Best Regards,

Dr. Chandra

I'm using a straight /usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j
MASQUERADE

for setting up router and nat functionality.

within MSN (on Win2000 and XP machines behind the linux) everything works
(including video) excepts the audio functionality. uPnP didn't seem to make
a big difference and you lost me with your story about stateful work, I miss
the experience to see the rationality why this would solve the issues with
MSN. I'm very interested though to get this working...




"Dr. Chandra" <drchandra@_LOSE-SP4M_pandora.be> schreef in bericht
newsan.2004.01.21.01.30.30.721850@_LOSE-SP4M_pandora.be...
> On Sat, 17 Jan 2004 15:28:31 -0700, NeoSadist wrote:
>
> > Meron Lavie wrote:
> >
> >> OK - I apologize for the MSFT quip.
> >>
> >> My iptables knowledge is not great. By stateful, do you mean if I have
> >> the following in my firewall?:
> >
> > Usually stateful works like this (for non-icmp stuff): iptables -A INPUT
> > -i eth0 -p ! icmp -m state \ --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A OUTPUT -o eth0 -p ! icmp -m state \ --state
> > NEW,ESTABLISHED,RELATED -j ACCEPT
> >
> > (the \ means that the next line continues the command)
> >
> > I.e. the generally accepted stateful setup is to allow only new
> > connections outbound, but established (i.e. we started the connection)
and
> > related (i.e. related to something we started) are ok both incoming and
> > outgoing.
> >
>
> Hi,
>
> By coincidence i've been trying to get msn-clients connecting to
> msn-server for some time now. Works flawless with linux msn-clients but
> (ahum) native msn-clients disconnect. Also reports MSNP8 instead of MSNP9,
> truly odd.
>
> What i did was install hlfl and write some really simple script, then
> compile the rules, this in combination with reaim should have done the
> trick. But i fumbled.
>
> > What I meant was that if you're only doing that, and not filtering the
> > ports themselves, you should be fine. Port-filtering firewalls are
> > different than stateful firewalls. Port-filtering assumes that only
good
> > traffic comes in and goes out on certain ports, so it filters based on
the
> > port #. Stateful filters based on the (abstract) state of the
connection,
> > which can be better, or at least simpler, for home users. I prefer a
> > combination of the two, but what I was asking is if you're filtering
based
> > on the port or on the state.
> >
> > A port filtering firewall would look more like this: # HTTP:
> > iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT
> > -o eth0 -p tcp --dport 80 -j ACCEPT # DNS:
> > iptables -A INPUT -i eth0 -p udp --sport 53 -j ACCEPT itpables -A OUTPUT
> > -o eth0 -p udp --dport 53 -j ACCEPT
> >
>
> If you plan on using reaim you can just copy the rules from the
> documentation, they're made for nat ...
> >
> >> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > Why are you using forward? Does this box act as a router/firewall?
> >
> >
> >> because I do.
> >>
> >> From reading some sites on the web, it would ssem that I also need to
> >> supply IGP/UPnP support for iptables, but the solutions I found for
this
> >> seem so complicated to install that Linus himself couldn't get it up
and
> >> running.
> >
> > IGMP? I don't allow that protocol at all, and I usually block it for
> > security reasons.
> > UPnP? I also don't use that for security reasons, and the fact that I
>
> I've just downloaded the linux-igd wich is the michievous attempt at
> getting ms-ics / upnp to linux ... since i can't get reaim/iptables to do
> what it should.
>
> > absolutely hate WinXP.
> >
>
> I am not alone then ?
>
> Pfew, there's something about it that's just ... piculiar, too piculiar.
>
> >
> >> Any ideas?
> >
> > Uh, yeah, tell me what you're wanting to do with the firewall and where
> > how this machine is being used, and your progress so far.
>
> I'm willing to post my configs, just in case.
> Maybe we can work this issue together ?
>
> --
> Best Regards,
>
> Dr. Chandra
>

On Wed, 21 Jan 2004 23:47:59 +0100, Harold wrote:

> I'm using a straight /usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j
> MASQUERADE
>
> for setting up router and nat functionality.
>

i only added my subnet mask to that line .... -s 192.168.5.0/24

> within MSN (on Win2000 and XP machines behind the linux) everything works
> (including video) excepts the audio functionality. uPnP didn't seem to

Connecting is not the issue, staying connected is. For some reason there
are irregularly timed disconnects. NO way of tracing what end fo the
connection (lan/fw) they're comming from.

> make a big difference and you lost me with your story about stateful work,
> I miss the experience to see the rationality why this would solve the
> issues with MSN. I'm very interested though to get this working...

i don't quite understand what you're ssaying here.

>
>
>
>
> "Dr. Chandra" <drchandra@_LOSE-SP4M_pandora.be> schreef in bericht
> newsan.2004.01.21.01.30.30.721850@_LOSE-SP4M_pandora.be...
>> On Sat, 17 Jan 2004 15:28:31 -0700, NeoSadist wrote:
>>
>> > Meron Lavie wrote:
>> >
>> >> OK - I apologize for the MSFT quip.
>> >>
>> >> My iptables knowledge is not great. By stateful, do you mean if I
>> >> have the following in my firewall?:
>> >
>> > Usually stateful works like this (for non-icmp stuff): iptables -A
>> > INPUT -i eth0 -p ! icmp -m state \ --state ESTABLISHED,RELATED -j
>> > ACCEPT iptables -A OUTPUT -o eth0 -p ! icmp -m state \ --state
>> > NEW,ESTABLISHED,RELATED -j ACCEPT
>> >
>> > (the \ means that the next line continues the command)
>> >
>> > I.e. the generally accepted stateful setup is to allow only new
>> > connections outbound, but established (i.e. we started the connection)
> and
>> > related (i.e. related to something we started) are ok both incoming
>> > and outgoing.
>> >
>> >
>> Hi,
>>
>> By coincidence i've been trying to get msn-clients connecting to
>> msn-server for some time now. Works flawless with linux msn-clients but
>> (ahum) native msn-clients disconnect. Also reports MSNP8 instead of
>> MSNP9, truly odd.
>>
>> What i did was install hlfl and write some really simple script, then
>> compile the rules, this in combination with reaim should have done the
>> trick. But i fumbled.
>>
>> > What I meant was that if you're only doing that, and not filtering the
>> > ports themselves, you should be fine. Port-filtering firewalls are
>> > different than stateful firewalls. Port-filtering assumes that only
> good
>> > traffic comes in and goes out on certain ports, so it filters based on
> the
>> > port #. Stateful filters based on the (abstract) state of the
> connection,
>> > which can be better, or at least simpler, for home users. I prefer a
>> > combination of the two, but what I was asking is if you're filtering
> based
>> > on the port or on the state.
>> >
>> > A port filtering firewall would look more like this: # HTTP: iptables
>> > -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT iptables -A OUTPUT -o
>> > eth0 -p tcp --dport 80 -j ACCEPT # DNS: iptables -A INPUT -i eth0 -p
>> > udp --sport 53 -j ACCEPT itpables -A OUTPUT -o eth0 -p udp --dport 53
>> > -j ACCEPT
>> >
>> >
>> If you plan on using reaim you can just copy the rules from the
>> documentation, they're made for nat ...
>> >
>> >> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> >
>> > Why are you using forward? Does this box act as a router/firewall?
>> >
>> >
>> >> because I do.
>> >>
>> >> From reading some sites on the web, it would ssem that I also need to
>> >> supply IGP/UPnP support for iptables, but the solutions I found for
> this
>> >> seem so complicated to install that Linus himself couldn't get it up
> and
>> >> running.
>> >
>> > IGMP? I don't allow that protocol at all, and I usually block it for
>> > security reasons.
>> > UPnP? I also don't use that for security reasons, and the fact that I
>>
>> I've just downloaded the linux-igd wich is the michievous attempt at
>> getting ms-ics / upnp to linux ... since i can't get reaim/iptables to
>> do what it should.
>>
>> > absolutely hate WinXP.
>> >
>> >
>> I am not alone then ?
>>
>> Pfew, there's something about it that's just ... piculiar, too piculiar.
>>
>>
>> >> Any ideas?
>> >
>> > Uh, yeah, tell me what you're wanting to do with the firewall and
>> > where how this machine is being used, and your progress so far.
>>
>> I'm willing to post my configs, just in case. Maybe we can work this
>> issue together ?
>>
>> --
>> Best Regards,
>>
>> Dr. Chandra
>>
>>

--
Best Regards,

Dr. Chandra

are you trying to do audio and webcam on msn messenger??
if so, messenger has lots of problems when trying to do that behind a LAN
or NAT. if you want an easy solution, download ENAT (free trial version).

or use skype instead of MSN for audio conversations. can go through most
typical NAT and firewall configs.

by the way. i am assuming that u are using MSN messenger on windows yea?
if u got a version that can do audio on linux, please pass me the site
where you got it from please. i would love to find some VoIP stuff that
works on linux apart from gnome-meetin

alvin