[ Table Of Contents ][ Answer Guy Current Index ] greetings   bios   1   2   3   4   5   6   7   8   9   10   11   12 [ Index of Past Answers ]

(?) The Answer Gang (!)


By Jim Dennis, Ben Okopnik, Dan Wilder, Breen, Chris, and the Gang, the Editors of Linux Gazette... and You!
Send questions (or interesting answers) to tag@ssc.com

There is no guarantee that your questions here will ever be answered. Readers at confidential sites must provide permission to publish. However, you can be published anonymously - just let us know!


(?) File Tranfers with AIM (AOL Instant Messenger)

From Steve Paugh

Answered By Jim Dennis

I have a working LRP (linux router project www.linuxrouter.org) box and I would like to make file transfers with AOl Instant Messanger possible from behind this box to the outside world for my Windows clients. I am not sure excately how to do this

I've seen something like the below in a different setup that hadn't been tested.

My understanding is that the 0.0.0.0/0 is for dhcp. but i am not sure about the $AIM_HOST

Does anyone have any idea on a rule that would allow what I need? I am kinda new to firewalling and would appreicate any help you can give me.

$IPCHAINS -A input -s 0.0.0.0/0 -d $IP_EXT/32 5190 -p tcp -j ACCEPT
if [ "$AIM_HOST" != "firewall" ]; then
$IPMASQADM portfw -a -P tcp -L $IP_EXT 5190 -R $AIM_HOST 5190
fi

Much thanks,
Steve Paugh

(!) [JimD] First, I know NOTHING about AIM. I figured out that it is AOL's interactive chat system over the Internet; but I don't use it or anything like it (though it, ICQ and so many other "instant messaging" systems are available). I prefer e-mail and I already spend WAY too much time interacting with people via that channel.
The only "instant messaging" I do for now is "voice over POTS line" (or via cell phone). I don't even know how to send SMS messages to my phone. (It seems to be a fully WAP capable toy --- but that's another gadget that I haven't invested the time to learn).
O.K. Now that I've set your expectations properly, you are getting this response from a backwoods, curmudgeonly geezer, I'll answer your question.
In the context of this script fragment 0.0.0.0/0 is an argument to a command. Specifically the script is calling on some command whose name we can't see because it is stored in a variable named IPCHAINS. The shell (the script interpreter) "dereferences" $IPCHAINS as the script is run. The $ is a "dereferencing operator" -- it means: replace this variable with the variable's current value. All of the $XXXX thingies in this fragment are shell variables.
As you can see shell programmers usually capitalize the names of their variables, so they standout and are easier to spot. This is merely a convention. In this case the $IPCHAINS and $IPMASQADM variables clearly supposed to be holding the full path to the ipchains and ipmasqadm utilities. In some other part of this script (not shown) or in some parent process that invoked this script, there would be some assigment to these variables that provided the values for a given system. This allows the programmer to localize the system specific code to some point near the top of the script so that they can make any necessary changes in a single place rather than having to hunt throughout the whole script.
As an argument to the ipchains command, the -s refers to a purported source address pattern. In that case 0.0.0.0/0 refers to any IP address. The -d refers to a destination address pattern, $IP_EXT is a variable (which presumably would be set to the IP address of our router's external interface, as the name clearly implies). The /32 indicates that this is a full 32-bit IP address, that it is NOT a subnet designator; successively smaller values would indicate progressively larger networks and subnets based at certain special addresses (space doesn't permit a full descripting of subnetting and routing; but search the LG archives for a 20 page treatise on that topic). The 5190 is a port number; and the -p refers to the protocol, which in this case, is TCP (as opposed to UDP, ICMP, etc). So this ipchains rule applies to packets which purport to be from anywhere, and are destined for TCP port 5190 on the local systems external interface.
The -j in ipchains is a bit confusing. In the man pages and docs it refers to "jump" (while processing the sets of rules, if any packet matches all of these conditions, "jump" to another set of rules to process that set of rules). However, in this case we aren't "jumping" to a different chain of rules; we're "just" accepting the packet into the system. When I teach people about the IP Chains package I teach this concept. -j either means "just" and in "just ACCEPT, DENY, REJECT, REDIRECT, MASQ, or RETURN" the packet or it means "jump" to a user defined (and named) chain of rules.
In our example the -A means to "add" a rule, and the "input" argument is naming the chain of rules to which the rule will be added. The input chain is one of the pre-defined sets of rules that the Linux 2.2.x kernel always has present (if it has the ipchains support compiled it at all).
Oh yeah! I didn't put any of this into context yet. The Linux kernel has optional builtin support for packet filtering and masquerading. This has undergone numerous changes over the years, starting with the ipfw code in 1.3.x, the ipfwadm code in 2.0.x, and through the ipchains code in 2.2.x and the new net filter code (usingn iptables) in 2.4
In all of these cases the kernel has a table of rules against which it checks every packet that it receives, and/or every one which it attempts to send, and/or any packet it intends to forward. (I kept saying "and/or" because the exact rules of which rules sets are traversed differ from one major kernel release to another --- so one packet that may have to traverse the incoming, forwarding, and outgoing rulesets in one release and might only need to traverse one of them in newer kernels; read the appropriate HOWTOs and look at the ASCII art diagrams for further enlightenment on this issue if you need it).
There are various commands: ipfwadm, ipchains, iptables which match the major kernel releases and allow the administrator to insert or add rules to these kernel tables, to delete or flush the rulesets, to query the system and determine how many packets matched a given rule, etc.
It's handy to understand this bit of background. The ipchains command here is adding a rule to the kernel's input chain.
The next command line is a conditional; basically it's saying that "if the AIM_HOST is not the firewall" then (it must be some other system behind the firewall) so we should use the ipmasqadm command to set up a port fowarding rule. We will "add" a rule for TCP that will take any packets to our "local" port 5190 on our external interface, and we'll forward it to port 5190 on a remote host, whose name or address is stored in $AIM_HOST.
Personally I think this is sloppy coding. What if I wanted to name my internal AIM_HOST "firewall?" Using a plain word like "firewall" as a sentinel value is kind of bogus. Using localhost (the canonical name for the local system) would be quite reasonable. However, it's a nitpick.
The last line is simply the Bourne shell way of marking the end of an "if ... then ... else" block. It's the word "if" spelled backwards. If we were looking at the more complex conditional structure called a "case" then we'd find the end of that block by looking for the "esac" token. Once upon a time I read about some other programming language which was Stephen Bourne's inspiration for using this quirky syntax. Thankfully he only did this with conditionals, and we don't have to end our "while" loops with "elihw" and our "for" loops with "rof" --- even better we don't have to try ending our "do" loops with an octal dump.
[Sorry! Inside joke there. The UNIX od command is an "octal dump" utility, so "do" backwards would create an inconvenient token collision].
Actually the while, until, and for loops (and the odd select prompting construct) all use the "do" and "done" tokens to delimit them.
So, back to your original question: It would appear that you can get AOL Instant Messenger to work through your firewall simply by relaying traffic for TCP port 5190 to the appropriate system. This fragment of shell code gives a rough example of how to do that on a Linux 2.2.x system (or later, but using the ipchains support module). However, you'll have to fill in the variables as appropriate to your system. You can just replace all the $VARIABLE_NAME thingies in this example with the literal text that points to your copy of ipchains, your copy of the ipmasqadm command, your external IP address, and (possibly) the IP address of the internal system where you'd be running your IM client.


This page edited and maintained by the Editors of Linux Gazette Copyright © 2001
Published in issue 68 of Linux Gazette July 2001
HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/



[ Table Of Contents ][ Answer Guy Current Index ] greetings   bios   1   2   3   4   5   6   7   8   9   10   11   12 [ Index of Past Answers ]