Setting up netfilter/iptables to allow Apple FaceTime-enabled phone calls w/iPhone 4

TheOneKEA · 10-07-2011, 06:58 PM

I am currently stuck with a nonfunctional Apple FaceTime setup on my iPhone 4 because I am unable to get the firewall rules on my Linux-based firewall set up correctly. I have read the article at http://support.apple.com/kb/ht4245 but it doesn't tell me very much, except for the port numbers themselves. My firewall is a fairly extensive one that uses SNAT to allow multiple internal devices to share a single public IPv4 address.

Here are the rules that I currently have in the filter table (my iPhone 4 uses the address 192.168.1.12):

Code:

Chain tcp_fwd_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Code:

Chain tcp_fwd_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 state NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5223 state NEW,RELATED,ESTABLISHED

Code:

Chain udp_fwd_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.12        udp dpts:3478:3497 state NEW helper match "sip" 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.12        udp dpts:16384:16403 state NEW helper match "sip" 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.12        udp spts:3478:3497 state NEW helper match "sip" 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.12        udp spts:16384:16403 state NEW helper match "sip"

Code:

Chain udp_fwd_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       192.168.1.12         0.0.0.0/0           udp dpts:3478:3497 state NEW,RELATED,ESTABLISHED helper match "sip" 
    0     0 ACCEPT     udp  --  *      *       192.168.1.12         0.0.0.0/0           udp dpts:16384:16403 state NEW,RELATED,ESTABLISHED helper match "sip" 
    0     0 ACCEPT     udp  --  *      *       192.168.1.12         0.0.0.0/0           udp spts:3478:3497 state NEW,RELATED,ESTABLISHED helper match "sip" 
    0     0 ACCEPT     udp  --  *      *       192.168.1.12         0.0.0.0/0           udp spts:16384:16403 state NEW,RELATED,ESTABLISHED helper match "sip"

And here are the rules in the nat table (I have the SIP conntrack and NAT helpers loaded in lsmod when my firewall is set up):

Code:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpts:3478:3497 to:192.168.1.12 
    0     0 DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpts:16384:16403 to:192.168.1.12 
    0     0 DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spts:3478:3497 to:192.168.1.12 
    0     0 DNAT       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spts:16384:16403 to:192.168.1.12

Has anyone else solved the FaceTime firewall problem with netfilter/iptables?