[arch-general] Google Voice through iptables?

Wed Apr 25 13:35:46 EDT 2012

On Thu, 26 Apr 2012 00:49:50 +0800
Bill Sun <cap.sensitive at gmail.com> wrote:

> Hi,
> 
> I just tried to use google voice to contact someone, after 2 'dialing
> sounds', I couldn't hear anything. After I stopped iptables, I can make
> phone calls via google voice successfully.
> 
> I searched the web, and found 2 possible solutions: [1] and [2]. Then I
> added iptables rules according to their instructions, but none of them
> worked.
> 
> Also, I noticed that my browser just kept trying to receive/send data to
> relay.google.com (Waiting for relay.google.com)
> 
> How to configure iptables so I can use google voice with iptables
> enabled?
> 
> [1]: http://support.google.com/talk/bin/answer.py?hl=en&answer=27930
> [2]:
> http://juberti.blogspot.com/2010/08/google-voice-and-video-enterprise.html
> 
> (see attachment for my iptables.rules)
> 
> Regards,
> Bill

Assuming you are running a desktop machine, why would you want to DROP by
default all outgoing traffic? AFAICT google voice app makes you browser
establish some UDP connecyions + https. So here are few observations regarding
your ruleset:
1. Default policy for OUTPUT should be ACCEPT and all following OUTPUT
rules should be removed. Also, default DROP policy for INPUT is just impolite
-- use REJECT instead.
2. Unless you have a good understanding of ICMP (which is way more than ping),
all icmp should be allowed (please don't tell me about pings of death or DoS
because of ping floods).
3. You really have to start differentiating between NEW and other connections.

Here is a simple ruleset for a desktop with only printer sharing:

# Generated by iptables-save v1.4.8 on Fri Aug 27 18:18:35 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]

-A LOGGING -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix
"firewall: " --log-level 6 --log-ip-options --log-uid
-A LOGGING -p tcp -m tcp -j REJECT --reject-with tcp-reset -A INPUT -i lo -j
ACCEPT -A INPUT -p icmp -j ACCEPT

-A INPUT -s 172.16.0.0/12 -i eth0 -j LOGGING 
-A INPUT -s 192.168.0.0/16 -i eth0 -j LOGGING 
-A INPUT -s 127.0.0.0/8 -i eth0 -j LOGGING 
-A INPUT -f -j DROP 
-A INPUT -p udp -m udp --dport 631 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,SYN,RST,PSH,ACK,URG -j LOGGING

-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOGGING
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOGGING
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOGGING
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j LOGGING

-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j
REJECT --reject-with tcp-reset

-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW
-j LOGGING

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -j LOGGING
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable 
COMMIT
# Completed on Fri Aug 27 18:18:35 2010

-- 
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20120425/9ebbf08c/attachment.asc>