msn and yahoo messenger voice chat

msn and yahoo messenger voice chat

[Wennie V. Lagmay]

Hi all,

Below are the config I tested and results:

1. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j SNAT --to-source
xxx.xxx.85.113-xxx.xxx.85.115
2. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -d
xxx.xxx.85.113 -j MASQUERADE
3. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j MASQUERADE

config 1, everything is working fine except  msn and yahoo messenger voice
chat.
config 2, everything is working fine except  msn and yahoo messenger voice
chat.
config 3, everything is working fine including msn and yahoo messenger voice
chat, the only problem is that this configuration is not fitted to our
setup. Can anybody have an idea on using config 1 and 2 with msn and yahoo
messenger voice chat enable? or do you have any solution enabling similar to
config 1 with all features enable?

Thank you very much,

Wennie

Re: msn and yahoo messenger voice chat

[Jason Opperisano]

On Sat, Apr 09, 2005 at 09:30:29AM +0300, Wennie V. Lagmay wrote:
> Hi all,
> 
> Below are the config I tested and results:
> 
> 1. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j SNAT --to-source
> xxx.xxx.85.113-xxx.xxx.85.115
> 2. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -d
> xxx.xxx.85.113 -j MASQUERADE
> 3. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j MASQUERADE
> 
> config 1, everything is working fine except  msn and yahoo messenger voice
> chat.
> config 2, everything is working fine except  msn and yahoo messenger voice
> chat.
> config 3, everything is working fine including msn and yahoo messenger voice
> chat, the only problem is that this configuration is not fitted to our
> setup. Can anybody have an idea on using config 1 and 2 with msn and yahoo
> messenger voice chat enable? or do you have any solution enabling similar to
> config 1 with all features enable?

use the SAME target from PoM to tell iptables to use the same SNAT IP
for subsequent connections between the same src and dst IP:

  iptables -t nat -A POSTROUTING -s 192.169.10.0/24 \
    -j SAME --to xxx.xxx.85.113-xxx.xxx.85.115

-j

--
"Peter: You wanna talk about awkward moments? Once, during sex,
 I called Lois "Frank". Your move, Sherlock."
        --Family Guy

Re: msn and yahoo messenger voice chat

[Wennie V. Lagmay]

Thank you Jason, I just want to confirm is it to be writen

like this alone:
iptables -t nat -A POSTROUTING -s 192.169.10.0/24  -j SAME --to
xxx.xxx.85.113-xxx.xxx.85.115

or the original SNAT plus SAME like this :
IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j SNAT --to-source
xxx.xxx.85.113-xxx.xxx.85.115
iptables -t nat -A POSTROUTING -s 192.169.10.0/24  -j SAME --to
xxx.xxx.85.113-xxx.xxx.85.115

wennie

----- Original Message -----
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, April 12, 2005 1:19 AM
Subject: Re: msn and yahoo messenger voice chat


> On Sat, Apr 09, 2005 at 09:30:29AM +0300, Wennie V. Lagmay wrote:
> > Hi all,
> >
> > Below are the config I tested and results:
> >
> > 1. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j
SNAT --to-source
> > xxx.xxx.85.113-xxx.xxx.85.115
> > 2. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -d
> > xxx.xxx.85.113 -j MASQUERADE
> > 3. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j MASQUERADE
> >
> > config 1, everything is working fine except  msn and yahoo messenger
voice
> > chat.
> > config 2, everything is working fine except  msn and yahoo messenger
voice
> > chat.
> > config 3, everything is working fine including msn and yahoo messenger
voice
> > chat, the only problem is that this configuration is not fitted to our
> > setup. Can anybody have an idea on using config 1 and 2 with msn and
yahoo
> > messenger voice chat enable? or do you have any solution enabling
similar to
> > config 1 with all features enable?
>
> use the SAME target from PoM to tell iptables to use the same SNAT IP
> for subsequent connections between the same src and dst IP:
>
>   iptables -t nat -A POSTROUTING -s 192.169.10.0/24 \
>     -j SAME --to xxx.xxx.85.113-xxx.xxx.85.115
>
> -j
>
> --
> "Peter: You wanna talk about awkward moments? Once, during sex,
>  I called Lois "Frank". Your move, Sherlock."
>         --Family Guy
>
>

Re: msn and yahoo messenger voice chat

[Jason Opperisano]

On Tue, Apr 12, 2005 at 03:39:26PM +0300, Wennie V. Lagmay wrote:
> 
> Thank you Jason, I just want to confirm is it to be writen
> 
> like this alone:
> iptables -t nat -A POSTROUTING -s 192.169.10.0/24  -j SAME --to
> xxx.xxx.85.113-xxx.xxx.85.115

yes--SAME can completely replace your SNAT rule, if you so desire.

> or the original SNAT plus SAME like this :
> IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j SNAT --to-source
> xxx.xxx.85.113-xxx.xxx.85.115

that rule isn't completely correct, as it has no "-t nat" in it.

> iptables -t nat -A POSTROUTING -s 192.169.10.0/24  -j SAME --to
> xxx.xxx.85.113-xxx.xxx.85.115

if you're asking if you should have a SNAT rule followed by a SAME rule
that are identical except for the target, then no--the SAME rule will
never be matched in that scenario.

if you want to combine SAME and SNAT--put the SAME rule first and have
it match only on the specific ports used by the application in question
that cannot handle src IP changes; and the SNAT rule second to catch the
rest of the general traffic.

HTH...

-j

--
"Chris: Where do you think you go when you die?
 Southern boy: I learned from church that if you're good you go to
 heaven but if you're bad, you go to a place where the dead believe
 they're still living and they pray for death but death won't come.
 Chris: UPN?"
        --Family Guy

Re: msn and yahoo messenger voice chat

[Daniel Lopes]

Wennie V. Lagmay schrieb:
> Hi all,
> 
> Below are the config I tested and results:
> 
> 1. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j SNAT --to-source
> xxx.xxx.85.113-xxx.xxx.85.115
> 2. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -d
> xxx.xxx.85.113 -j MASQUERADE
> 3. IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j MASQUERADE
> 
> config 1, everything is working fine except  msn and yahoo messenger voice
> chat.
> config 2, everything is working fine except  msn and yahoo messenger voice
> chat.
> config 3, everything is working fine including msn and yahoo messenger voice
> chat, the only problem is that this configuration is not fitted to our
> setup. Can anybody have an idea on using config 1 and 2 with msn and yahoo
> messenger voice chat enable? or do you have any solution enabling similar to
> config 1 with all features enable?
> 
> Thank you very much,
> 
> Wennie
> 

Is there something else you use? I tried MSN voice chat behind my router
also using MASQUERADE but it doens´t work because MSN sends src IP
within the payload and therefor NAT fails.

Re: msn and yahoo messenger voice chat

[Wennie V. Lagmay]

Hi Jason just to inform you what have I learn with the configuration from
you.
With this rule:
iptables A POSTROUTING -s 192.169.10.0/24  -j SAME --to
xxx.xxx.85.113-xxx.xxx.85.115, it is intermitent, i mean sometimes it
connects to voice but sometimes it does't.

With this rule: iptables -t nat -A POSTROUTING -s 192.169.10.0/24  -j
SAME --to  xxx.xxx.85.113
It is ok, it connects all the time, I have not encounter any entermitent
connection. This is ok but one might do some nasty things on the net then
the single IP might be block.

But anyway thank you very much for this great help, I really really
appreciate it.

Regards,

Wennie




----- Original Message -----
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, April 12, 2005 3:39 PM
Subject: Re: msn and yahoo messenger voice chat


> On Tue, Apr 12, 2005 at 03:39:26PM +0300, Wennie V. Lagmay wrote:
> >
> > Thank you Jason, I just want to confirm is it to be writen
> >
> > like this alone:
> > iptables -t nat -A POSTROUTING -s 192.169.10.0/24  -j SAME --to
> > xxx.xxx.85.113-xxx.xxx.85.115
>
> yes--SAME can completely replace your SNAT rule, if you so desire.
>
> > or the original SNAT plus SAME like this :
> > IPTABLES -A POSTROUTING -s 192.169.10.0/255.255.255.0 -j
SNAT --to-source
> > xxx.xxx.85.113-xxx.xxx.85.115
>
> that rule isn't completely correct, as it has no "-t nat" in it.
>
> > iptables -t nat -A POSTROUTING -s 192.169.10.0/24  -j SAME --to
> > xxx.xxx.85.113-xxx.xxx.85.115
>
> if you're asking if you should have a SNAT rule followed by a SAME rule
> that are identical except for the target, then no--the SAME rule will
> never be matched in that scenario.
>
> if you want to combine SAME and SNAT--put the SAME rule first and have
> it match only on the specific ports used by the application in question
> that cannot handle src IP changes; and the SNAT rule second to catch the
> rest of the general traffic.
>
> HTH...
>
> -j
>
> --
> "Chris: Where do you think you go when you die?
>  Southern boy: I learned from church that if you're good you go to
>  heaven but if you're bad, you go to a place where the dead believe
>  they're still living and they pray for death but death won't come.
>  Chris: UPN?"
>         --Family Guy
>
>

Re: msn and yahoo messenger voice chat

[Jason Opperisano]

On Tue, Apr 12, 2005 at 05:55:13PM +0300, Wennie V. Lagmay wrote:
> Hi Jason just to inform you what have I learn with the configuration from
> you.
> With this rule:
> iptables A POSTROUTING -s 192.169.10.0/24  -j SAME --to
> xxx.xxx.85.113-xxx.xxx.85.115, it is intermitent, i mean sometimes it
> connects to voice but sometimes it does't.

try using the "--nodst" option:

  iptables -t nat -A POSTROUTING -s 192.169.10.0/24 \
    -j SAME --nodst --to xxx.xxx.85.113-xxx.xxx.85.115

-j

--
"Stewie: How deliciously evil. It's like something out of Stephen King.
 Stephen King: Now for my 300th novel, a couple... is attacked... by
 a giant lamp monster.
 Editor: You're not even trying anymore are you?"
        --Family Guy

Re: msn and yahoo messenger voice chat

[Wennie V. Lagmay]

Thank you very much, so far its working fine.

regards,

wennie
----- Original Message -----
From: "Jason Opperisano" <opie@817west.com>
To: <netfilter@lists.netfilter.org>
Sent: Tuesday, April 12, 2005 8:03 PM
Subject: Re: msn and yahoo messenger voice chat


> On Tue, Apr 12, 2005 at 05:55:13PM +0300, Wennie V. Lagmay wrote:
> > Hi Jason just to inform you what have I learn with the configuration
from
> > you.
> > With this rule:
> > iptables A POSTROUTING -s 192.169.10.0/24  -j SAME --to
> > xxx.xxx.85.113-xxx.xxx.85.115, it is intermitent, i mean sometimes it
> > connects to voice but sometimes it does't.
>
> try using the "--nodst" option:
>
>   iptables -t nat -A POSTROUTING -s 192.169.10.0/24 \
>     -j SAME --nodst --to xxx.xxx.85.113-xxx.xxx.85.115
>
> -j
>
> --
> "Stewie: How deliciously evil. It's like something out of Stephen King.
>  Stephen King: Now for my 300th novel, a couple... is attacked... by
>  a giant lamp monster.
>  Editor: You're not even trying anymore are you?"
>         --Family Guy
>
>

Re: msn and yahoo messenger voice chat

[Wennie V. Lagmay]

Hi Jason,

iptables A POSTROUTING -s 192.169.10.0/24  -j SAME --to
xxx.xxx.85.113-xxx.xxx.85.115
iptables A POSTROUTING -s 192.169.10.0/24  -j SAME --nodst --to
xxx.xxx.85.113-xxx.xxx.85.115

the above rules are intermitent., the rule below is working fine.
iptables A POSTROUTING -s 192.169.10.0/24  -j SAME --to xxx.xxx.85.113

Im using iptables version 1.2.9, I'm just wondering if the above intermitent
rules will work fine on lattest iptables verion. Do you know the lattest and
most stable iptables version?

Thank you very much,

Wennie

Re: msn and yahoo messenger voice chat

[Jason Opperisano]

On Thu, Apr 14, 2005 at 08:11:08AM +0300, Wennie V. Lagmay wrote:
> Hi Jason,
> 
> iptables A POSTROUTING -s 192.169.10.0/24  -j SAME --to
> xxx.xxx.85.113-xxx.xxx.85.115
> iptables A POSTROUTING -s 192.169.10.0/24  -j SAME --nodst --to
> xxx.xxx.85.113-xxx.xxx.85.115

that second rule will never be matched.  get rid of the first rule, and
just use the second.

> the above rules are intermitent., the rule below is working fine.
> iptables A POSTROUTING -s 192.169.10.0/24  -j SAME --to xxx.xxx.85.113
> 
> Im using iptables version 1.2.9, I'm just wondering if the above intermitent
> rules will work fine on lattest iptables verion. Do you know the lattest and
> most stable iptables version?

the latest version is 1.3.1...my guess is that the most accepted as
stable version would be 1.2.11...but this isn't your problem.

-j

--
"Stewie: It rubs the lotion on its skin or else it gets the hose again."
        --Family Guy