LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Googleplus Hangouts through ipTables Firewall (http://www.linuxquestions.org/questions/linux-networking-3/googleplus-hangouts-through-iptables-firewall-924270/)

pawprint_net 01-17-2012 12:10 PM

Googleplus Hangouts through ipTables Firewall
 
I have a consistent problem using Google+ Hangouts that I believe is related to my ipTables NAT Firewall with 2 internal subnets. If anyone has any tips I would really appreciate it.

I can use the audio portion of a hangout just fine but when I try to add video the bandwidth seems to die completely and nobody can understand anything anymore.
  • This is on a 20Mb/1.5Mb Cable connection (confirmed with speed tests)
  • Internal network is all Gig-E
  • Tried from Macs and PCs on the inside of the firewall (fast/new systems)
  • Tried in Chrome, Safari, Firefox, and IE 8/9
  • Tried with different webcams

(unrelated? my Skype file-transfers outgoing have always been VERY slow too - incoming are very fast)

I believe the firewall isn't allowing the UDP traffic through - I have tried to add specific forwards for that but I can't tell if GPlus is using them or not. This (again I believe) is forcing GPlus chat to use TCP and that might be the problem. Has anyone got a successful configuration working for this or can offer any tips?

xylos 01-17-2012 11:43 PM

What more can you tell us about the firewall? Is it stateful? Built into your router? A dedicated machine?

Is it only being handled client-side by iptables? If so, can you post the results of the following command?

# iptables --list

(I'm assuming you're only using IPv4 here)

pawprint_net 01-19-2012 03:33 PM

This is just clientside from ipTables (not stateful) on a dedicated Centos 6 machine the machine is the router.


Here is the ipTables list:

You'll see the lines about ports 19305:19309 (I recently added those as an attempt to help GChat get through but I don't think they are doing anything.
Code:

# iptables --list
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           
usr-if    all  --  anywhere            anywhere           
svr-if    all  --  anywhere            anywhere           
net-if    all  --  anywhere            anywhere           
tun-if    all  --  anywhere            anywhere           
LOG        all  --  anywhere            anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-2-INPUT-DROPOFF:'
DROP      all  --  anywhere            anywhere           

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       
usr-svr    all  --  anywhere            anywhere           
svr-usr    all  --  anywhere            anywhere           
usr-net    all  --  anywhere            anywhere           
svr-net    all  --  anywhere            anywhere           
net-usr    all  --  anywhere            anywhere           
net-svr    all  --  anywhere            anywhere           
usr-svr    all  --  anywhere            anywhere           
usr-svr    all  --  anywhere            anywhere           
svr-if    all  --  anywhere            anywhere           
usr-if    all  --  anywhere            anywhere           
usr-if    all  --  anywhere            anywhere           
svr-if    all  --  anywhere            anywhere           
net-if    all  --  anywhere            anywhere           
tun-if    all  --  anywhere            anywhere           
LOG        all  --  anywhere            anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-2-FORWARD-DROPOFF:'
DROP      all  --  anywhere            anywhere           

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
general_out_deny  all  --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           

Chain general_in_accept (3 references)
target    prot opt source              destination       
icmp-acc  icmp --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere            state ESTABLISHED
ACCEPT    all  --  anywhere            anywhere            state RELATED

Chain general_out_deny (3 references)
target    prot opt source              destination       
LOG        tcp  --  anywhere            anywhere            tcp spt:ipcserver limit: avg 1/min burst 5 LOG level info prefix `FW-9-OUT_DROP-pcserver:'
DROP      tcp  --  anywhere            anywhere            tcp spt:ipcserver
LOG        tcp  --  anywhere            anywhere            tcp spt:17027 limit: avg 1/min burst 5 LOG level info prefix `FW-3-OUT_DROP-adbot:'
REJECT    tcp  --  anywhere            anywhere            tcp spt:17027 reject-with icmp-port-unreachable
LOG        tcp  --  anywhere            anywhere            tcp spt:sunrpc limit: avg 1/min burst 5 LOG level info prefix `FW-8-OUT_REJECT-portmap:'
REJECT    tcp  --  anywhere            anywhere            tcp spt:sunrpc reject-with icmp-port-unreachable
LOG        tcp  --  anywhere            anywhere            tcp spt:login limit: avg 1/min burst 5 LOG level info prefix `FW-5-OUT_REJECT-rwho:'
REJECT    tcp  --  anywhere            anywhere            tcp spt:login reject-with icmp-port-unreachable
LOG        tcp  --  anywhere            anywhere            tcp spt:xdmcp limit: avg 1/min burst 5 LOG level info prefix `FW-5-OUT_REJECT-xdmcp:'
REJECT    tcp  --  anywhere            anywhere            tcp spt:xdmcp reject-with icmp-port-unreachable
LOG        tcp  --  anywhere            anywhere            tcp spt:x11 limit: avg 1/min burst 5 LOG level info prefix `FW-9-OUT_REJECT-xwindows:'
REJECT    tcp  --  anywhere            anywhere            tcp spt:x11 reject-with icmp-port-unreachable

Chain icmp-acc (1 references)
target    prot opt source              destination       
ACCEPT    icmp --  anywhere            anywhere            icmp echo-reply
ACCEPT    icmp --  anywhere            anywhere            icmp echo-request
ACCEPT    icmp --  anywhere            anywhere            icmp echo-reply
ACCEPT    icmp --  anywhere            anywhere            icmp destination-unreachable
ACCEPT    icmp --  anywhere            anywhere            icmp source-quench
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
ACCEPT    icmp --  anywhere            anywhere            icmp parameter-problem
ACCEPT    icmp --  anywhere            anywhere            icmp echo-request limit: avg 1/sec burst 5

Chain log_accept (0 references)
target    prot opt source              destination       

Chain net-if (2 references)
target    prot opt source              destination       
general_in_accept  all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            **myhostname** tcp spt:domain
ACCEPT    udp  --  anywhere            **myhostname** udp spt:domain
LOG        icmp --  anywhere            anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-ICMP:'
DROP      icmp --  anywhere            anywhere           
DROP      tcp  --  anywhere            **myhostname** tcp dpt:domain
DROP      udp  --  anywhere            **myhostname** udp dpt:domain
LOG        tcp  --  anywhere            anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 5 LOG level info prefix `FW-0-NET_IF_ACCEPT-NEW-ssh:'
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh
ACCEPT    udp  --  anywhere            anywhere            udp dpts:openvpn:rsf-1
LOG        tcp  --  anywhere            anywhere            tcp dpt:telnet limit: avg 1/min burst 5 LOG level info prefix `FW-5-NET_IF_DROP-telnet:'
DROP      tcp  --  anywhere            anywhere            tcp dpt:telnet
LOG        tcp  --  anywhere            anywhere            tcp dpt:smtp limit: avg 1/min burst 5 LOG level info prefix `FW-8-NET_IF_DROP-smtp:'
DROP      tcp  --  anywhere            anywhere            tcp dpt:smtp
LOG        tcp  --  anywhere            anywhere            tcp dpt:0 limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-port-0:'
DROP      tcp  --  anywhere            anywhere            tcp dpt:0
LOG        udp  --  anywhere            anywhere            udp dpt:0 limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-port-0:'
DROP      udp  --  anywhere            anywhere            udp dpt:0
LOG        tcp  --  anywhere            anywhere            tcp dpt:serialgateway limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-sub7:'
DROP      tcp  --  anywhere            anywhere            tcp dpt:serialgateway
LOG        tcp  --  anywhere            anywhere            tcp dpt:systat limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-syssat:'
DROP      tcp  --  anywhere            anywhere            tcp dpt:systat
LOG        tcp  --  anywhere            anywhere            tcp dpt:finger limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-finger:'
DROP      tcp  --  anywhere            anywhere            tcp dpt:finger
LOG        all  --  anywhere            anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-3-NET_IF_DROP:'
DROP      all  --  anywhere            anywhere           

Chain net-svr (1 references)
target    prot opt source              destination       
general_in_accept  all  --  anywhere            anywhere           
special-svr-accept  all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            192.168.1.4        tcp dpt:http
ACCEPT    tcp  --  anywhere            192.168.1.17        tcp dpt:http
ACCEPT    tcp  --  anywhere            anywhere            tcp dpts:19305:19309
ACCEPT    udp  --  anywhere            anywhere            udp dpts:19305:19309
ACCEPT    tcp  --  anywhere            192.168.1.17        tcp dpt:webcache
LOG        tcp  --  anywhere            192.168.1.4        tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 5 LOG level info prefix `FW-0-NET-SVR_ACCEPT-NEW-ssh:'
ACCEPT    tcp  --  anywhere            192.168.1.4        tcp dpt:ssh
LOG        all  --  anywhere            anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-8-DROP_NET-SVR:'
DROP      all  --  anywhere            anywhere           

Chain net-usr (1 references)
target    prot opt source              destination       
general_in_accept  all  --  anywhere            anywhere           
special-accept  all  --  anywhere            anywhere           
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:31299
ACCEPT    udp  --  anywhere            anywhere            udp dpt:31299
ACCEPT    tcp  --  anywhere            anywhere            tcp dpts:19305:19309
ACCEPT    udp  --  anywhere            anywhere            udp dpts:19305:19309
LOG        all  --  anywhere            anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-8-DROP_NET-USR:'
DROP      all  --  anywhere            anywhere           

Chain special-accept (1 references)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            192.168.0.12        tcp dpt:35241
ACCEPT    udp  --  anywhere            192.168.0.12        udp dpt:35241

Chain special-svr-accept (1 references)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            192.168.1.16        tcp dpt:14412
ACCEPT    udp  --  anywhere            192.168.1.16        udp dpt:14412

Chain svr-if (3 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           

Chain svr-net (1 references)
target    prot opt source              destination       
general_out_deny  all  --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           

Chain svr-usr (1 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           

Chain tun-if (2 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           

Chain usr-if (3 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           

Chain usr-net (1 references)
target    prot opt source              destination       
general_out_deny  all  --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           

Chain usr-svr (3 references)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere


pawprint_net 01-24-2012 11:06 PM

Update:
 
IN an attempt to do 'anything' to get this to work I replaced the entire gateway/firewall machine with something newer (it was a P4 with 1GB RAM and I replaced it with a Athlon X2 64 with 8Gb RAM) the firewall is the same - it looks like that did the trick - I tried a hangout with a friend today and they didn't have any trouble hearing me with video (and actually adding a Skype call at the same time)

I guess the machine was just underpowered for the gateway. If anything changes there I'll update this thread again.

catworld 01-28-2012 09:56 AM

Interesting. I use a lot of P4s in server rolls, I think I'll pick one and test a beefier machine and see if there's any improvement. (nobody is complaining, but...)

You might want to mark your thread here as [SOLVED]. That'll keep people like me browsing around to see where I might offer some help, from tapping into this thread.. :)

redsaz 02-02-2014 11:25 PM

MTU was set too low for me
 
I realize this thread is a bit stale and the problem is already solved, but I had this same (at least, similar) problem with my homemade router, and I came upon this thread.

I too thought it was a mis-configured iptables that was somehow not letting the right packets through for Google Hangouts. And it was just on my side... I could receive audio and video just fine from others, but they only got audio from me. Strangely enough, this same effect occurs with Skype and Facetime. All of my Steam-based games could not connect to any remote server whatsoever. I had used iptable configurations from https://help.ubuntu.com/community/Ro...d_Masquerading and from https://wiki.archlinux.org/index.php...single_machine but still no luck.

Finally I broke down and used Wireshark. I captured packets when connected to a "good" router that was able to connect to a Steam server, and then I captured packets when connected to my wonky router, and compared the results.

It turns out that my wonky router was getting several ICMP "Time-to-live exceeded (Fragment reassembly time exceeded)" packets returned whenever it tried to connect. Following that lead, I ran this command on my router to find out the info on my network adapters:

Code:

ip link list
Of the adapters listed, it was my WAN-facing adapter that was the problem: It's MTU was set to 576 somehow. It should be 1500, like the rest of the Internet. I changed it to what it should be with:

Code:

ifconfig eth0 mtu 1500 up
Then I crossed my fingers and tried connecting to a Steam-server using the wonky router... It worked! So did Google Hangouts and Facetime! (I haven't tried Skype yet though but it is promising.) The above command won't keep the MTU at 1500 between reboots, so I had to add an entry to my config (searching for linux permanently change MTU does the trick.)

So, as far as I could tell, my router was seeing several "large" packets come through, so it broke them up into smaller chunks and caused all sorts of commotion.


All times are GMT -5. The time now is 04:27 AM.