/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
That's a good summary of the ways ICQ can be made to work with
IPMASQ/IPCHAINS. I'm still having some problems though. I've avoided
asking the list directly because it's been so much fun learning how
this stuff works. I'm beginning to get a grasp on it all. Anyway,
my ICQ problem:
My syslog is showing this error:
IP_MASQ:reverse ICMP: failed checksum from 198.59.x.x!
I can make this happen at will simply by trying to chat with my wife
using ICQ. The strange part is the 198 IP is from another customer
of my ISP?! I have a frac T1 with several assigned IPs to play with.
The only thing I have in common with the 198 machine is that we're
both using the same ISP. I've sent an inquiring email to the
sysadmin at 198 but never received a reply. My ISP also has no
suggestions. They checked routing and everything is a-ok with them.
I'm not leaking private routes through to them at all.
Web browsing works fine through the MASQ box.
In addition to the error in my syslog, she and I also have a very
difficult time with simple chatting and can't transfer files between
us at all.
I've tried chatting and transfering files with a different ICQ user
who is not behind any kind of firewall and had these results:
Chatting works just spiffy, no problems at all. File transfers from
her to me don't work at all. She gets an error saying I declined the
request even though I never received the request. File transfers
from me to her also don't work and give me this ICQ error: "ICQ can't
allocate an available TCP listen port for incoming connections."
After playing with this for almost two months, I'm stumped. I know
ICQ has trouble with firewalls and has even more trouble when both
sides are firewalled, but the failed checksum error from the 198
address is especially puzzling.
Here are the configurations:
My end of the chat link is:
MASQ box using RH6.0, kernel 2.2.12, outside IP is fixed at
204.134.x.x, inside IP is 172.16.2.28 and goes only to a test Win95
machine with the ICQ client. The simplest ruleset I've used that
will still generate the error is (modified TrinityOS weak-2.2):
------------------------------------------------------------
EXTIP="204.134.x.x"
ICQUSER1IP="172.16.2.29"
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Flushing all old rules"
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
echo "Setting all default policies to ACCEPT"
/sbin/ipchains -P input ACCEPT
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward REJECT
echo "Enabling forwarding."
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -j MASQ -s 172.16.0.0/12 -d 0.0.0.0/0
echo "Changing IP masquerading timeouts."
/sbin/ipchains -M -S 7200 600 600
echo " - Opening udp port 4000 for ICQ."
(all one line:)
/usr/sbin/ipmasqadm portfw -a -P udp -L $EXTIP 4000
-R $ICQUSER1IP 4000
echo " - Opening 20 tcp ports for direct ICQ connections."
PORT=2000
while [ $PORT -lt 2019 ]
do
(all one line:)
/usr/sbin/ipmasqadm portfw -a -P tcp -L $EXTIP $PORT
-R $ICQUSER1IP $PORT
PORT=`expr $PORT + 1`
done
---------------------------------------------------------------
My ICQ client is configured to use ports 2000-2019.
The wife's end consists of:
ComSocks (socks5 server) running on Win95 with a 205.214.x.x dynamic
IP on a regular dialup. Internal ip is 192.168.1.2. Her machine is
Win 98 on 192.168.1.3 running the ICQ client configured for a socks5
firewall.
Ken
On 14 Nov 99, at 1:51, Fuzzy Fox wrote:
> I have invested a lot of useless time and energy into getting ICQ to
> work behind masq. There are several ways to do it, and they all have
> disadvantages.
> ...
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
