Conntrack helpers for ICQ and MSN Messenger

Conntrack helpers for ICQ and MSN Messenger

[Giancarlo Boaron]

Hello. 
I have some clients in my LAN that need to access ICQ
and MSN Messenger.
Reading some iptables tutorials, I discovered that ICQ
and MSN Messenger protocols are some kind of "complex
protocols" because they send some information about
openning new connections back inside the payload of
the packets.
So, iptables needs some CONNTRACK and/or NAT helpers
to let this protocols work properly.
I looked for it on NETFILTER home page but I didn't
find it. So, I need some help about it!
Where can I get an how to apply it on my iptables?
(Do I have to use patch-o-matic?)
Besides, I want to use the FORWARD chain instead of
sending this protocols via SQUID or another proxy.

Some solution?

Regards
Giancarlo



	
	
		
_______________________________________________________
Yahoo! Messenger 6.0 - jogos, emoticons sonoros e muita diversão. Instale agora!
http://br.download.yahoo.com/messenger/

Re: Conntrack helpers for ICQ and MSN Messenger

[rruegner]

Hi,
you dont need helpers for icq it works out of the box
if you want file transfer use somethin like this
#message icq
/usr/sbin/iptables -A INPUT -p udp --dport 4000 -j ACCEPT
#this for  icq file transfer tradittional version
#first user configure icq to use ports 24500:24505 for file transfer
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 
24500:24505 -j DNAT --to 10.10.100.50
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 
24510:24515 -j DNAT --to 10.10.100.52

configure your icq client using ie tcp 24510:24515 for file transfer


#msn
/usr/sbin/iptables -A INPUT -p tcp --dport 1863 -j ACCEPT

http://reaim.sourceforge.net/
may help you too with msn file transfer

Regards

Giancarlo Boaron schrieb:

> Hello. 
> I have some clients in my LAN that need to access ICQ
> and MSN Messenger.
> Reading some iptables tutorials, I discovered that ICQ
> and MSN Messenger protocols are some kind of "complex
> protocols" because they send some information about
> openning new connections back inside the payload of
> the packets.
> So, iptables needs some CONNTRACK and/or NAT helpers
> to let this protocols work properly.
> I looked for it on NETFILTER home page but I didn't
> find it. So, I need some help about it!
> Where can I get an how to apply it on my iptables?
> (Do I have to use patch-o-matic?)
> Besides, I want to use the FORWARD chain instead of
> sending this protocols via SQUID or another proxy.
> 
> Some solution?
> 
> Regards
> Giancarlo
> 
> 
> 
> 	
> 	
> 		
> _______________________________________________________
> Yahoo! Messenger 6.0 - jogos, emoticons sonoros e muita diversão. Instale agora!
> http://br.download.yahoo.com/messenger/
> 

RE: Conntrack helpers for ICQ and MSN Messenger

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org wrote:
> Hello.
> I have some clients in my LAN that need to access ICQ and MSN
> Messenger. Reading some iptables tutorials, I discovered that ICQ and
> MSN Messenger protocols are some kind of "complex protocols"
> because they send some information about openning new
> connections back inside the payload of the packets.
> So, iptables needs some CONNTRACK and/or NAT helpers to let this
> protocols work properly. I looked for it on NETFILTER home page but I
> didn't find it. So, I need some help about it!

AFAIK, there are no ICQ or MSN helpers for Netfilter.

You can use portforwarding for one ICQ or MSN client for direct access
like filetransfer.
OTOH if you want to use these capabilities with multiple clients you
could setup a socks proxy, like the old one from NEC (the source should
be available somewhere), and configure the clients to use it.


Gr,
Rob