FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 04-25-2012, 04:49 PM
Bill Sun
 
Default Google Voice through iptables?

Hi,

I just tried to use google voice to contact someone, after 2 'dialing
sounds', I couldn't hear anything. After I stopped iptables, I can make
phone calls via google voice successfully.

I searched the web, and found 2 possible solutions: [1] and [2]. Then I
added iptables rules according to their instructions, but none of them
worked.

Also, I noticed that my browser just kept trying to receive/send data to
relay.google.com (Waiting for relay.google.com)

How to configure iptables so I can use google voice with iptables
enabled?

[1]: http://support.google.com/talk/bin/answer.py?hl=en&answer=27930
[2]: http://juberti.blogspot.com/2010/08/google-voice-and-video-enterprise.html

(see attachment for my iptables.rules)

Regards,
Bill
*filter
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

-A INPUT -p udp --sport 53 -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT

-A INPUT -p tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp --dport 22 -j ACCEPT

# ftp MUST die!
-A INPUT -p tcp -m multiport --sports 20,21 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 20,21 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED --sport 1024: --dport 1024: -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED --sport 1024: --dport 1024: -j ACCEPT

# HTTP & HTTPS
-A INPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# NTP
-A INPUT -p udp --sport 123 -j ACCEPT
-A OUTPUT -p udp --dport 123 -j ACCEPT

# GIT
-A INPUT -p tcp --sport 9418 -j ACCEPT
-A OUTPUT -p tcp --dport 9418 -j ACCEPT

# POP3/S
-A INPUT -p tcp --sport 110 -j ACCEPT
-A OUTPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --sport 995 -j ACCEPT
-A OUTPUT -p tcp --dport 995 -j ACCEPT

# Gmail
-A INPUT -p tcp --sport 587 -j ACCEPT
-A OUTPUT -p tcp --dport 587 -j ACCEPT

# Google Voice (not working)
-A INPUT -p udp --sport 19295 -j ACCEPT
-A OUTPUT -p udp --dport 19302 -j ACCEPT
-A INPUT -p udp --sport 19295 -j ACCEPT
-A OUTPUT -p udp --dport 19302 -j ACCEPT

COMMIT
 
Old 04-25-2012, 04:59 PM
Sergio Correia
 
Default Google Voice through iptables?

I haven't written any iptables rules in like 5-6 years, so I barely
remember. I am gonna wait for an expert to chime in and correct this,
as I am also interested in it, but by looking at the document you
provided [1], I'd think it's something along the following lines
(probably a similar INPUT rule should be added, not sure..):

* Enable UDP connections to anywhere on any port; or
-A OUTPUT -p udp -j ACCEPT

* Enable TCP connections to anywhere on port 443.
-A OUTPUT -p tcp --dport 443 -j ACCEPT


On Wed, Apr 25, 2012 at 12:49 PM, Bill Sun <cap.sensitive@gmail.com> wrote:
> Hi,
>
> I just tried to use google voice to contact someone, after 2 'dialing
> sounds', I couldn't hear anything. After I stopped iptables, I can make
> phone calls via google voice successfully.
>
> I searched the web, and found 2 possible solutions: [1] and [2]. Then I
> added iptables rules according to their instructions, but none of them
> worked.
>
> Also, I noticed that my browser just kept trying to receive/send data to
> relay.google.com (Waiting for relay.google.com)
>
> How to configure iptables so I can use google voice with iptables
> enabled?
>
> [1]: http://support.google.com/talk/bin/answer.py?hl=en&answer=27930
> [2]: http://juberti.blogspot.com/2010/08/google-voice-and-video-enterprise.html
>
> (see attachment for my iptables.rules)
>
> Regards,
> Bill
 
Old 04-25-2012, 05:35 PM
Leonid Isaev
 
Default Google Voice through iptables?

On Thu, 26 Apr 2012 00:49:50 +0800
Bill Sun <cap.sensitive@gmail.com> wrote:

> Hi,
>
> I just tried to use google voice to contact someone, after 2 'dialing
> sounds', I couldn't hear anything. After I stopped iptables, I can make
> phone calls via google voice successfully.
>
> I searched the web, and found 2 possible solutions: [1] and [2]. Then I
> added iptables rules according to their instructions, but none of them
> worked.
>
> Also, I noticed that my browser just kept trying to receive/send data to
> relay.google.com (Waiting for relay.google.com)
>
> How to configure iptables so I can use google voice with iptables
> enabled?
>
> [1]: http://support.google.com/talk/bin/answer.py?hl=en&answer=27930
> [2]:
> http://juberti.blogspot.com/2010/08/google-voice-and-video-enterprise.html
>
> (see attachment for my iptables.rules)
>
> Regards,
> Bill

Assuming you are running a desktop machine, why would you want to DROP by
default all outgoing traffic? AFAICT google voice app makes you browser
establish some UDP connecyions + https. So here are few observations regarding
your ruleset:
1. Default policy for OUTPUT should be ACCEPT and all following OUTPUT
rules should be removed. Also, default DROP policy for INPUT is just impolite
-- use REJECT instead.
2. Unless you have a good understanding of ICMP (which is way more than ping),
all icmp should be allowed (please don't tell me about pings of death or DoS
because of ping floods).
3. You really have to start differentiating between NEW and other connections.

Here is a simple ruleset for a desktop with only printer sharing:

# Generated by iptables-save v1.4.8 on Fri Aug 27 18:18:35 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]

-A LOGGING -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix
"firewall: " --log-level 6 --log-ip-options --log-uid
-A LOGGING -p tcp -m tcp -j REJECT --reject-with tcp-reset -A INPUT -i lo -j
ACCEPT -A INPUT -p icmp -j ACCEPT

-A INPUT -s 172.16.0.0/12 -i eth0 -j LOGGING
-A INPUT -s 192.168.0.0/16 -i eth0 -j LOGGING
-A INPUT -s 127.0.0.0/8 -i eth0 -j LOGGING
-A INPUT -f -j DROP
-A INPUT -p udp -m udp --dport 631 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j LOGGING

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOGGING
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOGGING
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOGGING
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j LOGGING

-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j
REJECT --reject-with tcp-reset

-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW
-j LOGGING

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -j LOGGING
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Fri Aug 27 18:18:35 2010

--
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
 
Old 04-25-2012, 05:42 PM
Leonid Isaev
 
Default Google Voice through iptables?

On Thu, 26 Apr 2012 00:49:50 +0800
Bill Sun <cap.sensitive@gmail.com> wrote:

> Hi,
>
> I just tried to use google voice to contact someone, after 2 'dialing
> sounds', I couldn't hear anything. After I stopped iptables, I can make
> phone calls via google voice successfully.
>
> I searched the web, and found 2 possible solutions: [1] and [2]. Then I
> added iptables rules according to their instructions, but none of them
> worked.
>
> Also, I noticed that my browser just kept trying to receive/send data to
> relay.google.com (Waiting for relay.google.com)
>
> How to configure iptables so I can use google voice with iptables
> enabled?
>
> [1]: http://support.google.com/talk/bin/answer.py?hl=en&answer=27930
> [2]:
> http://juberti.blogspot.com/2010/08/google-voice-and-video-enterprise.html
>
> (see attachment for my iptables.rules)
>
> Regards,
> Bill

Oh, and I almost forgot the mandatory "See the wiki:
https://wiki.archlinux.org/index.php/Iptables"

--
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
 
Old 04-26-2012, 02:56 AM
Bill Sun
 
Default Google Voice through iptables?

On Wed, Apr 25, 2012 at 12:35:46PM -0500, Leonid Isaev wrote:
> Assuming you are running a desktop machine, why would you want to DROP by
> default all outgoing traffic? AFAICT google voice app makes you browser
> establish some UDP connecyions + https. So here are few observations regarding
> your ruleset:
> 1. Default policy for OUTPUT should be ACCEPT and all following OUTPUT
> rules should be removed. Also, default DROP policy for INPUT is just impolite
> -- use REJECT instead.
> 2. Unless you have a good understanding of ICMP (which is way more than ping),
> all icmp should be allowed (please don't tell me about pings of death or DoS
> because of ping floods).
Good points. I've made changes regarding to your instruction.

> 3. You really have to start differentiating between NEW and other connections.
>
 
Old 04-26-2012, 03:28 PM
Leonid Isaev
 
Default Google Voice through iptables?

On Thu, 26 Apr 2012 10:56:47 +0800
Bill Sun <cap.sensitive@gmail.com> wrote:

> On Wed, Apr 25, 2012 at 12:35:46PM -0500, Leonid Isaev wrote:
> > Assuming you are running a desktop machine, why would you want to DROP by
> > default all outgoing traffic? AFAICT google voice app makes you browser
> > establish some UDP connecyions + https. So here are few observations
> > regarding your ruleset:
> > 1. Default policy for OUTPUT should be ACCEPT and all following OUTPUT
> > rules should be removed. Also, default DROP policy for INPUT is just
> > impolite -- use REJECT instead.
> > 2. Unless you have a good understanding of ICMP (which is way more than
> > ping), all icmp should be allowed (please don't tell me about pings of
> > death or DoS because of ping floods).
> Good points. I've made changes regarding to your instruction.
>

So... does your GV work now?

--
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
 
Old 04-27-2012, 05:05 PM
Bill Sun
 
Default Google Voice through iptables?

On Thu, Apr 26, 2012 at 10:28:00AM -0500, Leonid Isaev wrote:
> On Thu, 26 Apr 2012 10:56:47 +0800
> Bill Sun <cap.sensitive@gmail.com> wrote:
>
> So... does your GV work now?
Yes! (Oops, I forgot to mention that...)

Thanks.
 

Thread Tools




All times are GMT. The time now is 01:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org