msn messaging over iptables nat
 

Hi, I'm trying to get msn instant messaging to work on my home lan, with no success. The setup is:

Gateway pc: dual-boot mandrake9.1/win2k with 2 nics, one connected to the internet with a static ip, the other connected to my own router. There are a number of other pcs connected to the router, sharing the gateway's internet connection. The gateway provides dhcp/nat from either mandrake or windows.

The problem is that msn instant messaging only works using the microsoft client on the gateway pc. It does not work using any linux client on the gateway pc or from any client (windows or linux) on an internal pc.

One major problem is that I can't access the usual msn messaging port (1863?), however the microsoft client seems to get around this, by doing everything over http.

Does anyone know how I can configure some linux client (preferably gaim) to access msn messaging only using http?? Or does anyone know how I can configure nat on the gateway pc, to allow windows clients on internal pcs to access msn?

Any help would be greatly appreciated, this is getting very frustrating.

Thanks in advance.

I'm a little confused... is this how your system is setup

[Internet] --- [Linux/Windows gateway/router] --- [ hardware router ] --- [Clients]

Is your hardware router a hub or a router?
How is your network configured? (In the above diagram, which interfaces have what IPs?)

To answer your question directly, aMSN says it will work via HTTP.
To answer your question indirectly, lets take a look at your network setup and have it run from there. You should be able to run MSN from any client internally.

Regards,
J.

You should read up on tunnels. I live behind many firewalls and have managed to tunnel just about every program through every kind of connection. SSH is the best in my opinion, but requires you to have SSH access to off-site boxes.

I'm confused about your setup too... Just a suggestion, with very little effort you can run your firewall, nat, gateway, DHCP, WINS, DNS, ntp etc. off of on tiny linux box (I use a PIII 850 w/128 MB RAM and that is overkill). If you have an old box sitting around (486 will work) you can throw smoothwall on it, or a minimal Debian install (damnsmall linux is an easy one to install) and run all those services with ease. I think this would solve a lot of your problems. With a couple of simple shell scripts you can switch your connections/ports/forwards, whatever all over the place on-the-fly.

Thanks for the replies,

To clarify my setup:

[internet]------[isp firewall]------[eth0<my.static.ip.addr> (win/linux 755MHz pIII) eth1<192.168.1.1>]------[hardware router<192.168.1.2>]------[clients 192.168.1.x]

Basically just like you said JordanH (I'm not sure if I've made it any clearer). The hardware router is a linksys WRT55AG wireless access point/router. Also, the static ip address is fixed to my eth0 MAC address so I can't easily reconfigure things.

I'll try amsn and hopefully will be able to get messaging going on the gateway in linux (then I can remove windows completely :D ). It would be great if I could also get it working on the internal machines though.

I'm thinking the problem is the iptables setup on the gateway, but even with all of the filter chains set to ACCEPT it still doesn't work. Should I be doing something special to the nat table? Or might there be some sort of firewall on the router?? I'll try testing it without the router and just a single client.

Thanks for the advice fearofcarpet, I use ssh tunnelling (with pppd and slirp) to access irc, but I don't have an account anywhere with access to the msn port. If you could suggest somewhere that I could get a reliable shell account I'd really appreciate it.

Al.

Well, your linksys should be working just like a switch since it's not really routing anywhere (all your machines are on the 192.168.1.0/24 network)... so you could be right that there is something with your firewall setup. (BTW, it'll be less confusing for us if you call it a hub/switch instead of a router...)

Try this script. It opens EVERYTHING so it's no firewall, but it might be helpful in tracking the problem or at least eliminating Linux from the equation. (I hope I didn't miss anything)

#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
ext=eth0
# Set policies
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done
$ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE

I actually use Anonymizer's services to tunnel the Windows MSN client (and aMSN) through HTTP. Trillian will (theoretically) use HTTP proxies (and it works well with Wine), but I have yet to see that work correctly...

I'm curious, when you say you can't access the usual MSN ports, do you mean your ISP is blocking them? The latest MSN messenger dynamically assigns ports over a huge range and the trick to getting it to work is using --dnat 192.168.1.xxx to get those ports over to the internal machine.

something that we may have not considered... what linux MSN client are you using? If it is aMSN, you need v0_83 or it won't work no matter WHAT your setup.

Hi,

I got the latest version of amsn (0.83) and it's working pretty well for internal machines as well as the gateway. I still can't get the microsoft client to work on internal machines but that doesn't bother me too much.

As regards the blocked ports, I'm behind a fairly restrictive firewall so I can't use many ports apart from 'standard ones' ( 21, 22, 23, 80........). I can't even access socks proxies, so really the only option is http tunnelling for alot of apps. I'll soon be getting a better isp (hopefully)

Thanks for all your help guys, I'm sure I'll be back with more questions...

Al.

If it's your firewall, we can help you build a secure firewall that WILL let you safely do stuff like MSN.

Thanks for the offer, I don't think it is the firewall because amsn works, it's only the windows client that won't work. At least it's a good reason to get everyone here to start using linux ;)

Al.

No problem...

I hate to admit it but I'm on my Windows MSN client at the moment. :o they Really do work from behind closed doors - or walls as the case may be.

Good luck with the conversion! :D