LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-17-2012, 12:10 PM   #1
pawprint_net
Member
 
Registered: Nov 2009
Location: BC Canada
Distribution: CentOS, RHEL, Ubuntu, & Fedora
Posts: 30

Rep: Reputation: 0
Question Googleplus Hangouts through ipTables Firewall


I have a consistent problem using Google+ Hangouts that I believe is related to my ipTables NAT Firewall with 2 internal subnets. If anyone has any tips I would really appreciate it.

I can use the audio portion of a hangout just fine but when I try to add video the bandwidth seems to die completely and nobody can understand anything anymore.
  • This is on a 20Mb/1.5Mb Cable connection (confirmed with speed tests)
  • Internal network is all Gig-E
  • Tried from Macs and PCs on the inside of the firewall (fast/new systems)
  • Tried in Chrome, Safari, Firefox, and IE 8/9
  • Tried with different webcams

(unrelated? my Skype file-transfers outgoing have always been VERY slow too - incoming are very fast)

I believe the firewall isn't allowing the UDP traffic through - I have tried to add specific forwards for that but I can't tell if GPlus is using them or not. This (again I believe) is forcing GPlus chat to use TCP and that might be the problem. Has anyone got a successful configuration working for this or can offer any tips?
 
Old 01-17-2012, 11:43 PM   #2
xylos
LQ Newbie
 
Registered: Oct 2011
Location: USA
Distribution: Backtrack 5, Ubuntu 11.10, Linux Mint 12, Cyanogen Mod 7, FreeBSD 9.0
Posts: 17

Rep: Reputation: Disabled
What more can you tell us about the firewall? Is it stateful? Built into your router? A dedicated machine?

Is it only being handled client-side by iptables? If so, can you post the results of the following command?

# iptables --list

(I'm assuming you're only using IPv4 here)
 
Old 01-19-2012, 03:33 PM   #3
pawprint_net
Member
 
Registered: Nov 2009
Location: BC Canada
Distribution: CentOS, RHEL, Ubuntu, & Fedora
Posts: 30

Original Poster
Rep: Reputation: 0
This is just clientside from ipTables (not stateful) on a dedicated Centos 6 machine the machine is the router.


Here is the ipTables list:

You'll see the lines about ports 19305:19309 (I recently added those as an attempt to help GChat get through but I don't think they are doing anything.
Code:
# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
usr-if     all  --  anywhere             anywhere            
svr-if     all  --  anywhere             anywhere            
net-if     all  --  anywhere             anywhere            
tun-if     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-2-INPUT-DROPOFF:' 
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
usr-svr    all  --  anywhere             anywhere            
svr-usr    all  --  anywhere             anywhere            
usr-net    all  --  anywhere             anywhere            
svr-net    all  --  anywhere             anywhere            
net-usr    all  --  anywhere             anywhere            
net-svr    all  --  anywhere             anywhere            
usr-svr    all  --  anywhere             anywhere            
usr-svr    all  --  anywhere             anywhere            
svr-if     all  --  anywhere             anywhere            
usr-if     all  --  anywhere             anywhere            
usr-if     all  --  anywhere             anywhere            
svr-if     all  --  anywhere             anywhere            
net-if     all  --  anywhere             anywhere            
tun-if     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-2-FORWARD-DROPOFF:' 
DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
general_out_deny  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain general_in_accept (3 references)
target     prot opt source               destination         
icmp-acc   icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED 
ACCEPT     all  --  anywhere             anywhere            state RELATED 

Chain general_out_deny (3 references)
target     prot opt source               destination         
LOG        tcp  --  anywhere             anywhere            tcp spt:ipcserver limit: avg 1/min burst 5 LOG level info prefix `FW-9-OUT_DROP-pcserver:' 
DROP       tcp  --  anywhere             anywhere            tcp spt:ipcserver 
LOG        tcp  --  anywhere             anywhere            tcp spt:17027 limit: avg 1/min burst 5 LOG level info prefix `FW-3-OUT_DROP-adbot:' 
REJECT     tcp  --  anywhere             anywhere            tcp spt:17027 reject-with icmp-port-unreachable 
LOG        tcp  --  anywhere             anywhere            tcp spt:sunrpc limit: avg 1/min burst 5 LOG level info prefix `FW-8-OUT_REJECT-portmap:' 
REJECT     tcp  --  anywhere             anywhere            tcp spt:sunrpc reject-with icmp-port-unreachable 
LOG        tcp  --  anywhere             anywhere            tcp spt:login limit: avg 1/min burst 5 LOG level info prefix `FW-5-OUT_REJECT-rwho:' 
REJECT     tcp  --  anywhere             anywhere            tcp spt:login reject-with icmp-port-unreachable 
LOG        tcp  --  anywhere             anywhere            tcp spt:xdmcp limit: avg 1/min burst 5 LOG level info prefix `FW-5-OUT_REJECT-xdmcp:' 
REJECT     tcp  --  anywhere             anywhere            tcp spt:xdmcp reject-with icmp-port-unreachable 
LOG        tcp  --  anywhere             anywhere            tcp spt:x11 limit: avg 1/min burst 5 LOG level info prefix `FW-9-OUT_REJECT-xwindows:' 
REJECT     tcp  --  anywhere             anywhere            tcp spt:x11 reject-with icmp-port-unreachable 

Chain icmp-acc (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5 

Chain log_accept (0 references)
target     prot opt source               destination         

Chain net-if (2 references)
target     prot opt source               destination         
general_in_accept  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             **myhostname** tcp spt:domain 
ACCEPT     udp  --  anywhere             **myhostname** udp spt:domain 
LOG        icmp --  anywhere             anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-ICMP:' 
DROP       icmp --  anywhere             anywhere            
DROP       tcp  --  anywhere             **myhostname** tcp dpt:domain 
DROP       udp  --  anywhere             **myhostname** udp dpt:domain 
LOG        tcp  --  anywhere             anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 5 LOG level info prefix `FW-0-NET_IF_ACCEPT-NEW-ssh:' 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:openvpn:rsf-1 
LOG        tcp  --  anywhere             anywhere            tcp dpt:telnet limit: avg 1/min burst 5 LOG level info prefix `FW-5-NET_IF_DROP-telnet:' 
DROP       tcp  --  anywhere             anywhere            tcp dpt:telnet 
LOG        tcp  --  anywhere             anywhere            tcp dpt:smtp limit: avg 1/min burst 5 LOG level info prefix `FW-8-NET_IF_DROP-smtp:' 
DROP       tcp  --  anywhere             anywhere            tcp dpt:smtp 
LOG        tcp  --  anywhere             anywhere            tcp dpt:0 limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-port-0:' 
DROP       tcp  --  anywhere             anywhere            tcp dpt:0 
LOG        udp  --  anywhere             anywhere            udp dpt:0 limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-port-0:' 
DROP       udp  --  anywhere             anywhere            udp dpt:0 
LOG        tcp  --  anywhere             anywhere            tcp dpt:serialgateway limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-sub7:' 
DROP       tcp  --  anywhere             anywhere            tcp dpt:serialgateway 
LOG        tcp  --  anywhere             anywhere            tcp dpt:systat limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-syssat:' 
DROP       tcp  --  anywhere             anywhere            tcp dpt:systat 
LOG        tcp  --  anywhere             anywhere            tcp dpt:finger limit: avg 1/min burst 5 LOG level info prefix `FW-9-NET_IF_DROP-finger:' 
DROP       tcp  --  anywhere             anywhere            tcp dpt:finger 
LOG        all  --  anywhere             anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-3-NET_IF_DROP:' 
DROP       all  --  anywhere             anywhere            

Chain net-svr (1 references)
target     prot opt source               destination         
general_in_accept  all  --  anywhere             anywhere            
special-svr-accept  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             192.168.1.4         tcp dpt:http 
ACCEPT     tcp  --  anywhere             192.168.1.17        tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:19305:19309 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:19305:19309 
ACCEPT     tcp  --  anywhere             192.168.1.17        tcp dpt:webcache 
LOG        tcp  --  anywhere             192.168.1.4         tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN limit: avg 1/min burst 5 LOG level info prefix `FW-0-NET-SVR_ACCEPT-NEW-ssh:' 
ACCEPT     tcp  --  anywhere             192.168.1.4         tcp dpt:ssh 
LOG        all  --  anywhere             anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-8-DROP_NET-SVR:' 
DROP       all  --  anywhere             anywhere            

Chain net-usr (1 references)
target     prot opt source               destination         
general_in_accept  all  --  anywhere             anywhere            
special-accept  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:31299 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:31299 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:19305:19309 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:19305:19309 
LOG        all  --  anywhere             anywhere            limit: avg 1/min burst 5 LOG level info prefix `FW-8-DROP_NET-USR:' 
DROP       all  --  anywhere             anywhere            

Chain special-accept (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             192.168.0.12        tcp dpt:35241 
ACCEPT     udp  --  anywhere             192.168.0.12        udp dpt:35241 

Chain special-svr-accept (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             192.168.1.16        tcp dpt:14412 
ACCEPT     udp  --  anywhere             192.168.1.16        udp dpt:14412 

Chain svr-if (3 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain svr-net (1 references)
target     prot opt source               destination         
general_out_deny  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain svr-usr (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain tun-if (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain usr-if (3 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain usr-net (1 references)
target     prot opt source               destination         
general_out_deny  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain usr-svr (3 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere
 
Old 01-24-2012, 11:06 PM   #4
pawprint_net
Member
 
Registered: Nov 2009
Location: BC Canada
Distribution: CentOS, RHEL, Ubuntu, & Fedora
Posts: 30

Original Poster
Rep: Reputation: 0
Smile Update:

IN an attempt to do 'anything' to get this to work I replaced the entire gateway/firewall machine with something newer (it was a P4 with 1GB RAM and I replaced it with a Athlon X2 64 with 8Gb RAM) the firewall is the same - it looks like that did the trick - I tried a hangout with a friend today and they didn't have any trouble hearing me with video (and actually adding a Skype call at the same time)

I guess the machine was just underpowered for the gateway. If anything changes there I'll update this thread again.
 
Old 01-28-2012, 09:56 AM   #5
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
Interesting. I use a lot of P4s in server rolls, I think I'll pick one and test a beefier machine and see if there's any improvement. (nobody is complaining, but...)

You might want to mark your thread here as [SOLVED]. That'll keep people like me browsing around to see where I might offer some help, from tapping into this thread..
 
1 members found this post helpful.
Old 02-02-2014, 11:25 PM   #6
redsaz
LQ Newbie
 
Registered: Feb 2014
Posts: 2

Rep: Reputation: Disabled
MTU was set too low for me

I realize this thread is a bit stale and the problem is already solved, but I had this same (at least, similar) problem with my homemade router, and I came upon this thread.

I too thought it was a mis-configured iptables that was somehow not letting the right packets through for Google Hangouts. And it was just on my side... I could receive audio and video just fine from others, but they only got audio from me. Strangely enough, this same effect occurs with Skype and Facetime. All of my Steam-based games could not connect to any remote server whatsoever. I had used iptable configurations from https://help.ubuntu.com/community/Ro...d_Masquerading and from https://wiki.archlinux.org/index.php...single_machine but still no luck.

Finally I broke down and used Wireshark. I captured packets when connected to a "good" router that was able to connect to a Steam server, and then I captured packets when connected to my wonky router, and compared the results.

It turns out that my wonky router was getting several ICMP "Time-to-live exceeded (Fragment reassembly time exceeded)" packets returned whenever it tried to connect. Following that lead, I ran this command on my router to find out the info on my network adapters:

Code:
ip link list
Of the adapters listed, it was my WAN-facing adapter that was the problem: It's MTU was set to 576 somehow. It should be 1500, like the rest of the Internet. I changed it to what it should be with:

Code:
ifconfig eth0 mtu 1500 up
Then I crossed my fingers and tried connecting to a Steam-server using the wonky router... It worked! So did Google Hangouts and Facetime! (I haven't tried Skype yet though but it is promising.) The above command won't keep the MTU at 1500 between reboots, so I had to add an entry to my config (searching for linux permanently change MTU does the trick.)

So, as far as I could tell, my router was seeing several "large" packets come through, so it broke them up into smaller chunks and caused all sorts of commotion.
 
  


Reply

Tags
google+chrome, iptables, videocam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Get Your Webcam To Work With Google Plus Hangouts Or GTalk LXer Syndicated Linux News 1 09-22-2011 05:38 PM
firewall different from iptables jancat Linux - Security 4 07-23-2008 03:26 AM
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 07:20 AM
iptables firewall ninjaz Linux - Networking 2 10-20-2005 10:19 AM
IPTABLES firewall Vs rc firewall netguy2000 Linux - Security 7 02-28-2004 04:31 AM


All times are GMT -5. The time now is 02:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration