LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Setting up netfilter/iptables to allow Apple FaceTime-enabled phone calls w/iPhone 4 (http://www.linuxquestions.org/questions/linux-networking-3/setting-up-netfilter-iptables-to-allow-apple-facetime-enabled-phone-calls-w-iphone-4-a-907015/)

TheOneKEA 10-07-2011 06:58 PM

Setting up netfilter/iptables to allow Apple FaceTime-enabled phone calls w/iPhone 4
 
I am currently stuck with a nonfunctional Apple FaceTime setup on my iPhone 4 because I am unable to get the firewall rules on my Linux-based firewall set up correctly. I have read the article at http://support.apple.com/kb/ht4245 but it doesn't tell me very much, except for the port numbers themselves. My firewall is a fairly extensive one that uses SNAT to allow multiple internal devices to share a single public IPv4 address.

Here are the rules that I currently have in the filter table (my iPhone 4 uses the address 192.168.1.12):

Code:

Chain tcp_fwd_in (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Code:

Chain tcp_fwd_out (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80 state NEW,RELATED,ESTABLISHED
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:443 state NEW,RELATED,ESTABLISHED
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:5223 state NEW,RELATED,ESTABLISHED

Code:

Chain udp_fwd_in (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.1.12        udp dpts:3478:3497 state NEW helper match "sip"
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.1.12        udp dpts:16384:16403 state NEW helper match "sip"
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.1.12        udp spts:3478:3497 state NEW helper match "sip"
    0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.1.12        udp spts:16384:16403 state NEW helper match "sip"

Code:

Chain udp_fwd_out (1 references)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 ACCEPT    udp  --  *      *      192.168.1.12        0.0.0.0/0          udp dpts:3478:3497 state NEW,RELATED,ESTABLISHED helper match "sip"
    0    0 ACCEPT    udp  --  *      *      192.168.1.12        0.0.0.0/0          udp dpts:16384:16403 state NEW,RELATED,ESTABLISHED helper match "sip"
    0    0 ACCEPT    udp  --  *      *      192.168.1.12        0.0.0.0/0          udp spts:3478:3497 state NEW,RELATED,ESTABLISHED helper match "sip"
    0    0 ACCEPT    udp  --  *      *      192.168.1.12        0.0.0.0/0          udp spts:16384:16403 state NEW,RELATED,ESTABLISHED helper match "sip"

And here are the rules in the nat table (I have the SIP conntrack and NAT helpers loaded in lsmod when my firewall is set up):

Code:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in    out    source              destination       
    0    0 DNAT      udp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          udp dpts:3478:3497 to:192.168.1.12
    0    0 DNAT      udp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          udp dpts:16384:16403 to:192.168.1.12
    0    0 DNAT      udp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          udp spts:3478:3497 to:192.168.1.12
    0    0 DNAT      udp  --  eth0  *      0.0.0.0/0            0.0.0.0/0          udp spts:16384:16403 to:192.168.1.12

Has anyone else solved the FaceTime firewall problem with netfilter/iptables?


All times are GMT -5. The time now is 11:02 AM.