Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-17-2012, 01:10 PM
|
#1
|
Member
Registered: Nov 2009
Location: BC Canada
Distribution: CentOS, RHEL, Ubuntu, & Fedora
Posts: 30
Rep:
|
Googleplus Hangouts through ipTables Firewall
I have a consistent problem using Google+ Hangouts that I believe is related to my ipTables NAT Firewall with 2 internal subnets. If anyone has any tips I would really appreciate it.
I can use the audio portion of a hangout just fine but when I try to add video the bandwidth seems to die completely and nobody can understand anything anymore.
- This is on a 20Mb/1.5Mb Cable connection (confirmed with speed tests)
- Internal network is all Gig-E
- Tried from Macs and PCs on the inside of the firewall (fast/new systems)
- Tried in Chrome, Safari, Firefox, and IE 8/9
- Tried with different webcams
(unrelated? my Skype file-transfers outgoing have always been VERY slow too - incoming are very fast)
I believe the firewall isn't allowing the UDP traffic through - I have tried to add specific forwards for that but I can't tell if GPlus is using them or not. This (again I believe) is forcing GPlus chat to use TCP and that might be the problem. Has anyone got a successful configuration working for this or can offer any tips?
|
|
|
01-18-2012, 12:43 AM
|
#2
|
LQ Newbie
Registered: Oct 2011
Location: USA
Distribution: Backtrack 5, Ubuntu 11.10, Linux Mint 12, Cyanogen Mod 7, FreeBSD 9.0
Posts: 17
Rep:
|
What more can you tell us about the firewall? Is it stateful? Built into your router? A dedicated machine?
Is it only being handled client-side by iptables? If so, can you post the results of the following command?
# iptables --list
(I'm assuming you're only using IPv4 here)
|
|
|
01-19-2012, 04:33 PM
|
#3
|
Member
Registered: Nov 2009
Location: BC Canada
Distribution: CentOS, RHEL, Ubuntu, & Fedora
Posts: 30
Original Poster
Rep:
|
This is just clientside from ipTables (not stateful) on a dedicated Centos 6 machine the machine is the router.
Here is the ipTables list:
You'll see the lines about ports 19305:19309 (I recently added those as an attempt to help GChat get through but I don't think they are doing anything.
Code:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
usr-if all -- anywhere anywhere
svr-if all -- anywhere anywhere
net-if all -- anywhere anywhere
tun-if all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `FW-2-INPUT-DROPOFF:'
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
usr-svr all -- anywhere anywhere
svr-usr all -- anywhere anywhere
usr-net all -- anywhere anywhere
svr-net all -- anywhere anywhere
net-usr all -- anywhere anywhere
net-svr all -- anywhere anywhere
usr-svr all -- anywhere anywhere
usr-svr all -- anywhere anywhere
svr-if all -- anywhere anywhere
usr-if all -- anywhere anywhere
usr-if all -- anywhere anywhere
svr-if all -- anywhere anywhere
net-if all -- anywhere anywhere
tun-if all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `FW-2-FORWARD-DROPOFF:'
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
general_out_deny all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain general_in_accept (3 references)
target prot opt source destination
icmp-acc icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
Chain general_out_deny (3 references)
target prot opt source destination
LOG tcp -- anywhere anywhere tcp spt:ipcserver limit: avg 1/min burst 5 LOG level info prefix `FW-9-OUT_DROP-pcserver:'
DROP tcp -- anywhere anywhere tcp spt:ipcserver
LOG tcp -- anywhere anywhere tcp spt:17027 limit: avg 1/min burst 5 LOG level info prefix `FW-3-OUT_DROP-adbot:'
REJECT tcp -- anywhere anywhere tcp spt:17027 reject-with icmp-port-unreachable
LOG tcp -- anywhere anywhere tcp spt:sunrpc limit: avg 1/min burst 5 LOG level info prefix `FW-8-OUT_REJECT-portmap:'
REJECT tcp -- anywhere anywhere tcp spt:sunrpc reject-with icmp-port-unreachable
LOG tcp -- anywhere anywhere tcp spt:login limit: avg 1/min burst 5 LOG level info prefix `FW-5-OUT_REJECT-rwho:'
REJECT tcp -- anywhere anywhere tcp spt:login reject-with icmp-port-unreachable
LOG tcp -- anywhere anywhere tcp spt:xdmcp limit: avg 1/min burst 5 LOG level info prefix `FW-5-OUT_REJECT-xdmcp:'
REJECT tcp -- anywhere anywhere tcp spt:xdmcp reject-with icmp-port-unreachable
LOG tcp -- anywhere anywhere tcp spt:x11 limit: avg 1/min burst 5 LOG level info prefix `FW-9-OUT_REJECT-xwindows:'
REJECT tcp -- anywhere anywhere tcp spt:x11 reject-with icmp-port-unreachable
Chain icmp-acc (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
Chain log_accept (0 references)
target prot opt source destination
Chain net-if (2 references)
target prot opt source destination
general_in_accept all -- anywhere anywhere
ACCEPT tcp -- anywhere **myhostname** tcp spt:domain
ACCEPT udp -- anywhere **myhostname** udp spt:domain
LOG icmp -- anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-ICMP:'
DROP icmp -- anywhere anywhere
DROP tcp -- anywhere **myhostname** tcp dpt:domain
DROP udp -- anywhere **myhostname** udp dpt:domain
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 5 LOG level info prefix `FW-0-NET_IF_ACCEPT-NEW-ssh:'
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpts:openvpn:rsf-1
LOG tcp -- anywhere anywhere tcp dpt:telnet limit: avg 1/min burst 5 LOG level info prefix `FW-5-NET_IF_DROP-telnet:'
DROP tcp -- anywhere anywhere tcp dpt:telnet
LOG tcp -- anywhere anywhere tcp dpt:smtp limit: avg 1/min burst 5 LOG level info prefix `FW-8-NET_IF_DROP-smtp:'
DROP tcp -- anywhere anywhere tcp dpt:smtp
LOG tcp -- anywhere anywhere tcp dpt:0 limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-port-0:'
DROP tcp -- anywhere anywhere tcp dpt:0
LOG udp -- anywhere anywhere udp dpt:0 limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-port-0:'
DROP udp -- anywhere anywhere udp dpt:0
LOG tcp -- anywhere anywhere tcp dpt:serialgateway limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-sub7:'
DROP tcp -- anywhere anywhere tcp dpt:serialgateway
LOG tcp -- anywhere anywhere tcp dpt:systat limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-syssat:'
DROP tcp -- anywhere anywhere tcp dpt:systat
LOG tcp -- anywhere anywhere tcp dpt:finger limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-finger:'
DROP tcp -- anywhere anywhere tcp dpt:finger
LOG all -- anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `FW-3-NET_IF_DROP:'
DROP all -- anywhere anywhere
Chain net-svr (1 references)
target prot opt source destination
general_in_accept all -- anywhere anywhere
special-svr-accept all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.1.4 tcp dpt:http
ACCEPT tcp -- anywhere 192.168.1.17 tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpts:19305:19309
ACCEPT udp -- anywhere anywhere udp dpts:19305:19309
ACCEPT tcp -- anywhere 192.168.1.17 tcp dpt:webcache
LOG tcp -- anywhere 192.168.1.4 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 5 LOG level info prefix `FW-0-NET-SVR_ACCEPT-NEW-ssh:'
ACCEPT tcp -- anywhere 192.168.1.4 tcp dpt:ssh
LOG all -- anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `FW-8-DROP_NET-SVR:'
DROP all -- anywhere anywhere
Chain net-usr (1 references)
target prot opt source destination
general_in_accept all -- anywhere anywhere
special-accept all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:31299
ACCEPT udp -- anywhere anywhere udp dpt:31299
ACCEPT tcp -- anywhere anywhere tcp dpts:19305:19309
ACCEPT udp -- anywhere anywhere udp dpts:19305:19309
LOG all -- anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `FW-8-DROP_NET-USR:'
DROP all -- anywhere anywhere
Chain special-accept (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.0.12 tcp dpt:35241
ACCEPT udp -- anywhere 192.168.0.12 udp dpt:35241
Chain special-svr-accept (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.16 tcp dpt:14412
ACCEPT udp -- anywhere 192.168.1.16 udp dpt:14412
Chain svr-if (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain svr-net (1 references)
target prot opt source destination
general_out_deny all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain svr-usr (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain tun-if (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain usr-if (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain usr-net (1 references)
target prot opt source destination
general_out_deny all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain usr-svr (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
|
|
|
01-25-2012, 12:06 AM
|
#4
|
Member
Registered: Nov 2009
Location: BC Canada
Distribution: CentOS, RHEL, Ubuntu, & Fedora
Posts: 30
Original Poster
Rep:
|
Update:
IN an attempt to do 'anything' to get this to work I replaced the entire gateway/firewall machine with something newer (it was a P4 with 1GB RAM and I replaced it with a Athlon X2 64 with 8Gb RAM) the firewall is the same - it looks like that did the trick - I tried a hangout with a friend today and they didn't have any trouble hearing me with video (and actually adding a Skype call at the same time)
I guess the machine was just underpowered for the gateway. If anything changes there I'll update this thread again.
|
|
|
01-28-2012, 10:56 AM
|
#5
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
Interesting. I use a lot of P4s in server rolls, I think I'll pick one and test a beefier machine and see if there's any improvement. (nobody is complaining, but...)
You might want to mark your thread here as [SOLVED]. That'll keep people like me browsing around to see where I might offer some help, from tapping into this thread..
|
|
1 members found this post helpful.
|
02-03-2014, 12:25 AM
|
#6
|
LQ Newbie
Registered: Feb 2014
Posts: 2
Rep:
|
MTU was set too low for me
I realize this thread is a bit stale and the problem is already solved, but I had this same (at least, similar) problem with my homemade router, and I came upon this thread.
I too thought it was a mis-configured iptables that was somehow not letting the right packets through for Google Hangouts. And it was just on my side... I could receive audio and video just fine from others, but they only got audio from me. Strangely enough, this same effect occurs with Skype and Facetime. All of my Steam-based games could not connect to any remote server whatsoever. I had used iptable configurations from https://help.ubuntu.com/community/Ro...d_Masquerading and from https://wiki.archlinux.org/index.php...single_machine but still no luck.
Finally I broke down and used Wireshark. I captured packets when connected to a "good" router that was able to connect to a Steam server, and then I captured packets when connected to my wonky router, and compared the results.
It turns out that my wonky router was getting several ICMP "Time-to-live exceeded (Fragment reassembly time exceeded)" packets returned whenever it tried to connect. Following that lead, I ran this command on my router to find out the info on my network adapters:
Of the adapters listed, it was my WAN-facing adapter that was the problem: It's MTU was set to 576 somehow. It should be 1500, like the rest of the Internet. I changed it to what it should be with:
Code:
ifconfig eth0 mtu 1500 up
Then I crossed my fingers and tried connecting to a Steam-server using the wonky router... It worked! So did Google Hangouts and Facetime! (I haven't tried Skype yet though but it is promising.) The above command won't keep the MTU at 1500 between reboots, so I had to add an entry to my config (searching for linux permanently change MTU does the trick.)
So, as far as I could tell, my router was seeing several "large" packets come through, so it broke them up into smaller chunks and caused all sorts of commotion.
|
|
|
All times are GMT -5. The time now is 08:56 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|