Squid config for voice chat

gubak · 12-08-2004, 06:11 AM

I use RedHat9, squid.
I want to use voice chat, but it seems unable because the squid.
How can I configure squid to be able to use voice chat?
Thank you!

win32sux · 12-14-2004, 12:56 AM

you mean like with MSN and stuff?? your regular iptables (netfilter) should take care of the voice and video on MSN, without having to touch squid...

gubak · 12-14-2004, 06:58 AM

You mean I have to change iptable on linux machine?

win32sux · 12-14-2004, 05:56 PM

Quote:

Originally posted by gubak
You mean I have to change iptable on linux machine?

yeah, if you're not getting audio/video on the lan, then you need to make sure iptables is properly set-up on the linux gateway...

gubak · 12-15-2004, 02:59 AM

Here is my iptables config file. Can you tell me how to change it to allow voice chat (msn messanger)?

Thank you!

-----------------------------------------------------------------------------------

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT

win32sux · 12-15-2004, 11:18 PM

your current script seems to have policies of ACCEPT on all the chains, i'm not sure why you're doing that...

anyways, you don't really need anything special in your iptables to have msn voice working... a simple script like this example should work fine:

Code:

#!/bin/sh

IPT="/sbin/iptables"
EXT="eth0"
INT="eth1"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# This rule allows the LAN side to connect to a Squid daemon on the gateway:
$IPT -A INPUT -p TCP -i $INT --dport 3128 --m state --state NEW -j ACCEPT

$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INT -o $EXT -m state --state NEW -j ACCEPT

$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

$IPT -t nat -A POSTROUTING -o $EXT -j MASQUERADE

gubak · 12-16-2004, 01:14 AM

I've tried it but I'm not sure I've all did correctly.
I have simply changed my iptables text file (/etc/sysconfig/iptables) to yours. I have put the ip address of one of my network machine to this file and finally I have restarted the iptables (service iptables restart), but I have got error message like this:

Flushing all current rules and user defined chains: [OK]
Clearing all current rules and user defined chains: [OK]
Applying iptables firewall rules: Bad argument 'PT="/usr/sbin/iptables'
[FAILED]

I have no file which name is iptables in the /usr/sbin/

Can you help me?

win32sux · 12-16-2004, 01:42 AM

i don't think you should try to add it to your startup files until you are sure it works...

it's best if you just save the script to a text file, make it executable, and then run it to see how things go first...

oh, and yes: you need to adjust the script to reflect your iptables locaton... i think on red hat systems it's /sbin/iptables but you can make sure by doing a:

Code:

whereis iptables

you also need to make sure eth0 is your external interface, and if it's not, then adjust the EXT and INT variables in the script...

PS: i've just updated the script, i had missed some stuff...

gubak · 12-16-2004, 03:22 AM

I have made the changes you told me. Now I have to double click on the script, haven't I?

gubak · 12-16-2004, 05:08 AM

I have run the script but the problem is still exist.
What to do now?

win32sux · 12-16-2004, 06:38 AM

to execute the script just go to a console or a terminal window, cd to the directory the script is in, become root and do a:

Code:

./whatever-script.sh

the script in this example is named "whatever-script.sh" but it can be called whatever you saved it as...

the "./" executes the script... you could also execute it like so:

Code:

sh whatever-script.sh

you need to be root to run a firewall script...

also, it would help me help you if you would give me a bigger picture about your setup... you have a windows network with a linux gateway, right?? what configuration have you given the machines on the lan?? does the other stuff work (ping, web browsing, email, etc...) fine on the lan?? what kinda connection is it (cable modem, dsl, etc.)?? is squid working fine for web browsing?? are you using squid in transparent mode, or do you specify the proxy address on the client machines?? any other info you can post would be helpful...

i'm quite concerned about the double-clicking thing, though... cuz either you:

A - are doing it as a normal user, in which case it would have NO EFFECT or...

B - you are doing it as root, in which case you are possibly logged-into X as root which is a VERY BAD idea...

i hope it's A...

=)

gubak · 12-17-2004, 02:30 AM

I have run the script with the command sh scriptname.sh, but after that my server became invisible for the rest of the network computer. I had to restart server. Now everything works like before, but the voice chat is still doesn't work.

This is my system:

As you said, I have a windows (win98 and winxp) network with a linux gateway. In the lan the windows machines have a simple windows installation, workgroup network, static internal ip, UTP cable for the internat network. I have wireless internet, public ip address . Ping work only in internal networ (I can't ping any host in the internet), because there is a router between me and my provider and the ping function is disabled. There is a mail server, a web server, an ftp server, proxy (squid). Everything works fine. There is no firewall. I specify the proxy address on the client machines (the proxy doesn't work in transparent mode).

I have tryed to connect internet directly on one of the windows machines (Draw the internet cable out of the linux eth0 and put it in the windows machine), in that case the voice chat has worked fine.

win32sux · 12-17-2004, 10:10 AM

is your squid listening on port 3128??

if it's not then you have to edit the script...

make sure that the machines on the lan have the ip address of your linux box's eth1 set as their gateway (for the NAT)... also make sure the DNS server addresses on the lan machine are correct...

you should probably focus on getting the NAT working properly and then setting-up squid should be a snap...

i can't figure-out why the firewall script above isn't working, maybe there's a bug in it, i'll look at it again... meanwhile, take a look at your logfile when you attempt to access the internet from the lan while the script is active... the script is set to log all dropped input and forward packets so you'll be able to see if something is getting dropped that shouldn't...

a test:

after running the script, attempt to connect from a machine on the lan to a web server on the linux box by putting the ip address of the internal interface (eth1) in the browser... remember to remove the proxy server from the browser's configuration as you wanna go direct... then you should see the port 80/tcp packets getting dropped in the linux box's log file right-away... if you see those, then you know the input chain is okay...

to monitor the syslog in "real-time" use something like:

Code:

tail -f /var/log/syslog