Re: [GnomeMeeting-list] Problems talking to Net Meeting 3.0

From: Colin Paul Adams <colin colina demon co uk>
To: GnomeMeeting mailing list <gnomemeeting-list gnome org>
Subject: Re: [GnomeMeeting-list] Problems talking to Net Meeting 3.0
Date: 12 Jul 2004 10:32:32 +0100

>>>>> "Kilian" == Kilian Krause <kk verfaction de> writes:

    >> So I guess there must be something wrong with the firewalling.
    >> I m forwarding all the ports as mentioned in the FAQ. What else
    >> can I do to track the problem down?

    Kilian> So far we've only very vague information about your
    Kilian> network topology.  Please make sure that from the
    Kilian> [unfirewalled] external IP (ports must be open) to your
    Kilian> internal IP all gnomemeeting ports are forwarded.  You can
    Kilian> see the external IP by connecting to
    Kilian> http://seconix.com/ip/ .  The machine connected to the
    Kilian> internet with that IP is your gateway that needs
    Kilian> adjustment. If then a connection to another GM is doing
    Kilian> fine, you're setup allright and the problem is on the
    Kilian> NetMeeting side.

Well, I'm using narc to configure IPTABLES for me. Looking at the
command it produces, the PREROUTING and POSTROUTING commands are not
exactly the same as in the FAQ. I don't know what significance this
might have.

I added some echo statements to the output of narc, so I get the
following output (the lines at the bottom are (I think) the only
relevant bits:
Does this look OK to you?
My (static) IP address of my firewall machine is 80.177.30.27 and my
user machine has an IP address of 10.0.1.5

Starting iptables
narc (Netfilter Automatic Rule Configurator) v0.6.3
Initializing firewall (iptables)
Turning off IP forwarding (will automatically re-enable if you turned on masquerading): OK
Disable ICMP echo-request to broadcast addresses (anti-smurf): OK
Disabling source-routed packet support: [ /proc/sys/net/ipv4/conf/all - OK ] [ /proc/sys/net/ipv4/conf/default - OK ] [ /proc/sys/net/ipv4/conf/eth0 - OK ] [ /proc/sys/net/ipv4/conf/eth1 - OK ] [ /proc/sys/net/ipv4/conf/lo - OK ] [ /proc/sys/net/ipv4/conf/ppp0 - OK ] 
Enabling ingress filtering (level 2) via rp_filter on interface: [ /proc/sys/net/ipv4/conf/all - OK ] [ /proc/sys/net/ipv4/conf/default - OK ] [ /proc/sys/net/ipv4/conf/eth0 - OK ] [ /proc/sys/net/ipv4/conf/eth1 - OK ] [ /proc/sys/net/ipv4/conf/lo - OK ] [ /proc/sys/net/ipv4/conf/ppp0 - OK ] 
Log Martians on interface: [ /proc/sys/net/ipv4/conf/all - OK ] [ /proc/sys/net/ipv4/conf/default - OK ] [ /proc/sys/net/ipv4/conf/eth0 - OK ] [ /proc/sys/net/ipv4/conf/eth1 - OK ] [ /proc/sys/net/ipv4/conf/lo - OK ] [ /proc/sys/net/ipv4/conf/ppp0 - OK ] 
TCP Explicit Congestion Notification: DISABLED
Loading module: 
Flushing/deleting chains 
Setting default policies: 
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy ACCEPT)
Creating chains: SPOOF_CHK SANITY_CHK STATE_CHK TCP_CHK UDP_CHK ICMP_CHK CUST_LOG 
Dropping Broadcasts on ppp0 to: 0.0.0.0/8 255.255.255.255 224.0.0.0/4 
Dropping Broadcasts on eth1 to: 0.0.0.0/8 255.255.255.255 224.0.0.0/4 
Dropping Broadcasts on eth0 to: 0.0.0.0/8 255.255.255.255 224.0.0.0/4 
Enabling spoof checking on ppp0 for reserved network(s): 127.0.0.0/8 240.0.0.0/5 248.0.0.0/5 
Enabling spoof checking on ppp0 for private network(s): 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 
Enabling checking for illegal TCP flag types: SYN,FIN PSH,FIN SYN,ACK,FIN SYN,FIN,PSH SYN,FIN,RST SYN,FIN,RST,PSH SYN,FIN,ACK,RST SYN,ACK,FIN,RST,PSH ALL 
Allow LAN connections on eth1 TCP ports: domain
Allow external connections on ppp0 UDP ports: ntp
Allow LAN connections on eth1 UDP ports: domain,ntp
Allow DMZ connections on eth0 UDP ports: domain,ntp
Enabling ICMP message types: echo-reply network-unreachable host-unreachable port-unreachable fragmentation-needed time-exceeded 
Enabling probable probe logging [TCP]: 23,81,111,123,161,445,515,555,1234,1241,1243,1433,1494,2049,3306,3128,3389,5631,5632,6635,8080,9055,12345,24452,27374,27573,31337,42484
Enabling probable probe logging [UDP]: 22,161,1025,3283,5634,5882,28431,31337,31789
Enabling logging for all dropped packets
Enabling IP forwarding: OK
Enabling network masquerading: 
/sbin/iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 80.177.30.27 --dport 22 -j DNAT --to 10.0.1.5:22
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -p tcp -m state --state NEW --syn -d 10.0.1.5 --dport 22 -j ACCEPT
Forwarding tcp 80.177.30.27:22 to 10.0.1.5:22
/sbin/iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 80.177.30.27 --dport 80 -j DNAT --to 10.0.1.5:80
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -p tcp -m state --state NEW --syn -d 10.0.1.5 --dport 80 -j ACCEPT
Forwarding tcp 80.177.30.27:80 to 10.0.1.5:80
/sbin/iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 80.177.30.27 --dport 38451 -j DNAT --to 10.0.1.5:38451
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -p tcp -m state --state NEW --syn -d 10.0.1.5 --dport 38451 -j ACCEPT
Forwarding tcp 80.177.30.27:38451 to 10.0.1.5:38451
/sbin/iptables -t nat -A PREROUTING -i ppp0 -p udp -d 80.177.30.27 --dport 38451 -j DNAT --to 10.0.1.5:38451
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -p udp -m state --state NEW -d 10.0.1.5 --dport 38451 -j ACCEPT
Forwarding udp 80.177.30.27:38451 to 10.0.1.5:38451
/sbin/iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 80.177.30.27 --dport 1720 -j DNAT --to 10.0.1.5:1720
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -p tcp -m state --state NEW --syn -d 10.0.1.5 --dport 1720 -j ACCEPT
Forwarding tcp 80.177.30.27:1720 to 10.0.1.5:1720
/sbin/iptables -t nat -A PREROUTING -i ppp0 -p tcp -d 80.177.30.27 --dport 30000:30010 -j DNAT --to 10.0.1.5:30000:30010
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -p tcp -m state --state NEW --syn -d 10.0.1.5 --dport 30000:30010 -j ACCEPT
Forwarding tcp 80.177.30.27:30000:30010 to 10.0.1.5:30000:30010
/sbin/iptables -t nat -A PREROUTING -i ppp0 -p udp -d 80.177.30.27 --dport 5000:5007 -j DNAT --to 10.0.1.5:5000:5007
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -p udp -m state --state NEW -d 10.0.1.5 --dport 5000:5007 -j ACCEPT
Forwarding udp 80.177.30.27:5000:5007 to 10.0.1.5:5000:5007
/sbin/iptables -t nat -A PREROUTING -i ppp0 -p udp -d 80.177.30.27 --dport 5010:5013 -j DNAT --to 10.0.1.5:5010:5013
/sbin/iptables -A FORWARD -i ppp0 -o eth1 -p udp -m state --state NEW -d 10.0.1.5 --dport 5010:5013 -j ACCEPT
Forwarding udp 80.177.30.27:5010:5013 to 10.0.1.5:5010:5013
Finished firewall (iptables) initialization
  done

-- 
Colin Paul Adams
Preston Lancashire

Follow-Ups:
- Re: [GnomeMeeting-list] Problems talking to Net Meeting 3.0
  - From: Kilian Krause

References:
- [GnomeMeeting-list] Problems talking to Net Meeting 3.0
  - From: Colin Paul Adams
- Re: [GnomeMeeting-list] Problems talking to Net Meeting 3.0
  - From: PUYDT Julien
- Re: [GnomeMeeting-list] Problems talking to Net Meeting 3.0
  - From: Colin Paul Adams
- Re: [GnomeMeeting-list] Problems talking to Net Meeting 3.0
  - From: PUYDT Julien
- Re: [GnomeMeeting-list] Problems talking to Net Meeting 3.0
  - From: Colin Paul Adams
- Re: [GnomeMeeting-list] Problems talking to Net Meeting 3.0
  - From: Kilian Krause

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]