LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-22-2001, 02:08 AM   #1
kdoswald
LQ Newbie
 
Registered: Jan 2001
Location: california
Posts: 5

Rep: Reputation: 0

I am using a linux based firwall/router.. masquerading all of my internal computers. I can receive files without any problems. But I can not send files.. (seems strange to me..)..
Has anyone had this problem.. or found a fix for this problem.
..Kevin
 
Old 04-19-2001, 11:30 AM   #2
ludogomez
LQ Newbie
 
Registered: Apr 2001
Posts: 3

Rep: Reputation: 0
Hi,

I have the same problem.

If someone have a idea

thanks

Ludo
 
Old 04-23-2001, 04:24 AM   #3
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
I've tested this and have no problems once you use the correct rules in your firewall.

The output rule from your external IP address should allow your IP to send from ports 1023:65535 to destination port of 1863 any IP address.

Your input rule to your external IP address should allow your IP to receive only a SYN flag with a source port of 1863 to a destination port of 1023:65525 from the IP range 64.4.13.0/24

UDP is not needed only TCP.

An example of an Linux IPchains rule would look like this:
The example external IP address is 64.45.11.23

ipchains -A output -p tcp -s 64.45.11.23 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 64.45.11.23 1023:65535 -j ACCEPT

/Raz
 
Old 04-23-2001, 04:29 AM   #4
ludogomez
LQ Newbie
 
Registered: Apr 2001
Posts: 3

Rep: Reputation: 0
Thumbs up

Hi,

Thanks for your response, I'll try this.

Bye

Ludo
 
Old 04-23-2001, 04:47 PM   #5
smurf
Member
 
Registered: Apr 2001
Posts: 113

Rep: Reputation: 15
Question this may sound dumb

I dont use messenger myself my liitle brother uses it. so i dont know how it works.

this external ip address in the example, is it the address of the machine u r talking to, r the msn server.

Have Fun

 
Old 04-24-2001, 03:29 AM   #6
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Yeah MSM's servers router the messages from one of the IP addresses in the 64.4.13.0/24 subnet.

It then uses its Port 1863 to talk back to your systems non-privileged port <1023, once you started the connection.

You only need to worry about incoming connections as you control the outgoing, so the example lets you go out to any server on that port number, but only accept MSM servers subnet as incoming.

/Raz
 
Old 04-24-2001, 03:35 AM   #7
ludogomez
LQ Newbie
 
Registered: Apr 2001
Posts: 3

Rep: Reputation: 0
Thanks for your response,

I have a half life server, and I can't play on my windows' PC but the others does. I think, it's the same problem.

Anyone knows the ip adresse of msn server ?

Thanks again.

Ludo

Excuse for my english, I'm french.

 
Old 04-24-2001, 04:15 AM   #8
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
MSM uses about 30 servers for it's message system so you have to allow the whole subnet of 64.4.13.0 access in on port 1863.

If your running a half-life server then when you set-up the port it will default to the standard Counter-strike port of 27015, you'll need to allow external people access to this port number and connections back to there client on a port higher then 1023.

Also allow ICMP messages for echo request messages or people will join your server thinking it's the fastest one on the net and have no way of knowing the ping times.

If I didn't understand you and you want to connect to a HL server then you'll need to allow port 27015 access out and the WON servers IP address and port number inculding UDP access for your ID to work.

/Raz
 
Old 06-18-2001, 09:53 AM   #9
Rod Upfold
LQ Newbie
 
Registered: Jun 2001
Posts: 6

Rep: Reputation: 0
MSM ipchains

ipchains -A output -p tcp -s 64.45.11.23 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 64.45.11.23 1023:65535 -j ACCEPT

..trying to understand...hmmmmmm

I am running Lan with the 192.168.xxx.xxx.

This ipchain is a copy of "razbot" ipchains from Apr 2001.

The 64.45.11.23 : would that be my gateway ip address which is 192.168.0.1?

also in "input" ipchain rule...is the (looks like !) or is it |?

Thank You

Rod
 
Old 06-18-2001, 10:07 AM   #10
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Hi Rod,

It looks ok. "yes its a !!!!!! not a ||||||"

Make sure your internal IP can also talk to the external IP in the firewall rules, also I guess your doing NAT.

eth0 = 192.168.xxx.67 "example"
eth0:0 = 64.45.11.23 "gateway ip"
so I would use:

# Allow NAT for all IP internal
ipchains -A forward -s 192.168.xxx.0/24 -j MASQ
# allow my client access to firewalls input/output chains
ipchains -A input -i eth0 -s 192.168.xxx.67 -j ACCEPT
ipchains -A output -i eth0 -d 192.168.xxx.67 -j ACCEPT
# allow MSN trusted servers only.
ipchains -A output -p tcp -s 64.45.11.23 1023:65535 --dport 1863 -j ACCEPT
ipchains -A input -p tcp ! -y -s 64.4.13.0/24 --sport 1863 -d 64.45.11.23 1023:65535 -j ACCEPT
# Don't forget to stop spoofing etc etc etc
ipchains -A input -i eth0:0 -s 10.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0:0 -s 172.16.0.0/12 -d 0/0 -j DENY -l
ipchains -A input -i eth0:0 -s 192.168.0.0/16 -d 0/0 -j DENY -l
ipchains -A input -i eth0:0 -s 127.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0:0 -s 255.255.255.255 -j DENY -l
ipchains -A input -i eth0:0 -d 0.0.0.0 -j DENY -l


/Raz




 
Old 06-18-2001, 11:16 AM   #11
Rod Upfold
LQ Newbie
 
Registered: Jun 2001
Posts: 6

Rep: Reputation: 0
One More Question - RAZ

Thank you for answering my first question so quickly...

In my router machine (I am using a LRP)....I am using two
NIC's

eth0....attached to the DSL modem
eth1....attached to internal LAN

In your answer you list eth0 and eth0:0


Is my eth0 = your eth0

and

Is my eth1 = your eth0:0

Thanks again for the previous fast answer with so much info..

Rod
 
Old 06-18-2001, 11:40 AM   #12
Rod Upfold
LQ Newbie
 
Registered: Jun 2001
Posts: 6

Rep: Reputation: 0
One More Question - RAZ

Thank you for answeing my question in such detail...


I amusing a LRP for my router

eth0 connected to the DSL modem
eth1 connected to internal LAN

You used eth0 and eth0:0

Does my eth0 = your eth0

and

Does my eth1 = your eth0:0


Thanks again


Rod
 
Old 06-19-2001, 03:12 AM   #13
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Yes,

I'm using a system with 1 network card and 2 virtual network interfaces.

Works just as well as two cards but you can't see any physical separation of the firewall so it's easy to unplug something.

/raz

yours
eth0:0 = eth1
eth0 = eth0
 
Old 06-19-2001, 06:53 AM   #14
Rod Upfold
LQ Newbie
 
Registered: Jun 2001
Posts: 6

Rep: Reputation: 0
Thanks again


Rod
 
Old 06-19-2001, 09:53 AM   #15
smurf
Member
 
Registered: Apr 2001
Posts: 113

Rep: Reputation: 15
i have tried this set of rules above and i cant send files. does this set of rules work for anyone????

192.168.1.3 = MY WIN98 PC
192.168.1.1 = LINUX SERVER ETH0
XXX.XXX.XXX.XXX = SERVERS INTERNET IP ETH1

/sbin/ipchains -F
# Allow NAT for all IP internal
/sbin/ipchains -A forward -s 192.168.1.0/24 -j MASQ
# allow my client access to firewalls input/output chains
/sbin/ipchains -A input -i eth0 -s 192.168.1.3 -j ACCEPT
/sbin/ipchains -A output -i eth0 -d 192.168.1.3 -j ACCEPT
# allow MSN trusted servers only.
/sbin/ipchains -A output -p tcp -s xxx.xxx.xxx.xxx 1023:65535 --dport 1863 -j ACCEPT
/sbin/ipchains -A input -p tcp ! -y -s 64.4.13.0/24 ---sport 1863 -d xxx.xxx.xxx.xxx 1023:65535 -j ACCEPT
# Don't forget to stop spoofing etc etc etc
/sbin/ipchains -A input -i eth1 -s 10.0.0.0/8 -d 0/0 -j DENY -l
/sbin/ipchains -A input -i eth1 -s 172.16.0.0/12 -d 0/0 -j DENY -l
/sbin/ipchains -A input -i eth1 -s 192.168.0.0/16 -d 0/0 -j DENY -l
/sbin/ipchains -A input -i eth1 -s 127.0.0.0/8 -d 0/0 -j DENY -l
/sbin/ipchains -A input -i eth1 -s 255.255.255.255 -j DENY -l
/sbin/ipchains -A input -i eth1 -d 0.0.0.0 -j DENY -l

I must admit its driving me nuts not been able to send files

Can anyone stop the suffering

Cheers


________________________
Have Fun

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can i use MSN Messenger or Yahoo Messenger in slack ware ruzvay Linux - Software 8 02-16-2006 12:42 PM
msn messenger usa1234 Linux - Software 1 10-07-2004 04:36 PM
Instant messenger Chat Kopete mandrake linux yahoo and MSN messenger saurya_s Linux - Software 1 11-22-2003 01:05 PM
MSN Messenger Wimpie22 Linux - Networking 8 06-01-2003 06:32 AM
msn messenger sakeeb Linux - General 11 05-02-2002 06:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration