LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mirabilis ICQ

6.9. Mirabilis ICQ

ICQ, the instant messaging client now owned by AOL, has changed over the years. All modern ICQ clients are NAT friendly and thus DON'T require any special NAT modules, PORTFW tricks, etc.

IF, for some reason, you want to run an OLD ICQ client, you can read this section. If not, just IGNORE all this info. I am leaving this in the HOWTO demonstrate large a LARGE PORTFW example.

There are three methods of getting ICQ to work behind a Linux MASQ server. These solutions include the use the ICQ Masq module (for 2.2.x and 2.0.x kernels), using IPPORTFW for basic ICQ functionality, or setting up a SOCKS proxy server.

MODULE: The ICQ module was written for the older generation of ICQ clients for both the 2.2.x and 2.0.x kernels. This module allows for the simple setup of multiple ICQ users behind a MASQ server. It also doesn't require any special changes to the ICQ client(s). Recently, AOL changed the protocol and ports used for ICQ. Because of this, many users might find that the ip_masq_icq module will no longer help them. For users of the older ICQ clients, the 2.2.x version of the module supports file transfer and read-time chat. The 2.0.x kernel module doesn't support file transfers and there is no module available for the 2.4.x kernels.

PORTFW: Your next option is to use port forwarding. With port forwarding, basic ICQ chat will work but file transfers might not be very reliable. Please see below for an example of how to configure ICQ PORTFW.

SOCKS: Finally, your last and possibly best option is to setup a SOCKS proxy server on your Linux machine. This service can happily co-exist with the MASQ service and ICQ should be fully functional regardless of what Linux kernel version you are running. The use of a SOCKS server will require ALL ICQ clients to be reconfigured to use it and the installation and configuration of a SOCKS server has nothing to do with IP Masquerade. Because of this, SOCKS is not covered in this HOWTO.

If you are interested in Andrew Deryabin's djsf@usa.net ICQ IP Masq module for the 2.2.x and 2.0.x kernels, please see Section 2.7 for details.

To use port forwarding (PORFW)for ICQ, you will have to make some changes on both Linux and ICQ clients but all ICQ messaging, URLs, chat, and some file transfers should work.

  • First, you need to be running a Linux kernel with IPPPORTFW enabled. Please see Section 6.7for more details.

  • Next, you need to add the following lines to your /etc/rc.d/rc.firewall-* file. This example assumes that 10.1.2.3 is your external Internet IP address and your internal MASQed ICQ machine is 192.168.0.10:

  • The following example is for a 2.2.x kernel with IPCHAINS:

    I have included two examples here for the user: Either one would work fine:

    Example #1

    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2000 -R 192.168.0.10 2000
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2001 -R 192.168.0.10 2001
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2002 -R 192.168.0.10 2002
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2003 -R 192.168.0.10 2003
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2004 -R 192.168.0.10 2004
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2005 -R 192.168.0.10 2005
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2006 -R 192.168.0.10 2006
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2007 -R 192.168.0.10 2007
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2008 -R 192.168.0.10 2008
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2009 -R 192.168.0.10 2009
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2010 -R 192.168.0.10 2010
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2011 -R 192.168.0.10 2011
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2012 -R 192.168.0.10 2012
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2013 -R 192.168.0.10 2013
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2014 -R 192.168.0.10 2014
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2015 -R 192.168.0.10 2015
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2016 -R 192.168.0.10 2016
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2017 -R 192.168.0.10 2017
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2018 -R 192.168.0.10 2018
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2019 -R 192.168.0.10 2019
    /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 2020 -R 192.168.0.10 2020
         
    Example #2
    port=2000
    while [ $port -le 2020 ]
      do
        /usr/local/sbin/ipmasqadm portfw -a -P tcp -L 10.1.2.3 $port -R 192.168.0.10 $port
        port=$((port+1))
    done
         

  • The following example is for a 2.0.x kernel with IPFWADM:

    I have included two examples here for the user: Either one would work fine:

    Example #1

    /usr/local/sbin/ipportfw -A -t10.1.2.3/2000 -R 192.168.0.10/2000
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2001 -R 192.168.0.10/2001
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2002 -R 192.168.0.10/2002
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2003 -R 192.168.0.10/2003
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2004 -R 192.168.0.10/2004
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2005 -R 192.168.0.10/2005
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2006 -R 192.168.0.10/2006
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2007 -R 192.168.0.10/2007
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2008 -R 192.168.0.10/2008
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2009 -R 192.168.0.10/2009
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2010 -R 192.168.0.10/2010
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2011 -R 192.168.0.10/2011
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2012 -R 192.168.0.10/2012
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2013 -R 192.168.0.10/2013
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2014 -R 192.168.0.10/2014
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2015 -R 192.168.0.10/2015
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2016 -R 192.168.0.10/2016
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2017 -R 192.168.0.10/2017
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2018 -R 192.168.0.10/2018
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2019 -R 192.168.0.10/2019
    /usr/local/sbin/ipportfw -A -t10.1.2.3/2020 -R 192.168.0.10/2020
         

    Example #2

    port=2000
    while [ $port -le 2020 ]
      do
        /usr/local/sbin/ipportfw -A t10.1.2.3/$port -R 192.168.0.10/$port
        port=$((port+1))
    done
         

  • Once your new rc.firewall-* is ready, reload the ruleset to make sure things are OK by simply typing in "/etc/rc.d/rc.firewall-*". If you get any errors, you either don't have IPPORTFW support in the kernel or you made a typo in the rc.firewall file.

  • Now, in ICQ's Preferences-->Connection, configure it to be "Behind a LAN" and "Behind a firewall or Proxy". Now, click on "Firewall Settings" and configure it to be "I don't use a SOCK5 proxy". Also note that it was previously recommended to change ICQ's "Firewall session timeouts" to "30" seconds BUT many users have found that ICQ becomes unreliable. It has been found that ICQ is more reliable with its stock timeout setting (don't enable that ICQ option) and simply change MASQ's timeout to 160 seconds. You can see how to change this timeout in Section 3.4.3 and Section 3.4.2 rulesets. Finally, click on Next and configure ICQ to "Use the following TCP listen ports.." from "2000" to "2020". Now click done.

    Now ICQ will tell you that you will have to restart ICQ for the changes to take effect. To be honest, I had to REBOOT the Windows9x machine in order for things to work right but some users might say otherwise. So.. try it both ways.

  • A user once told me that by simply portforwarding port 4000 to his ICQ machine, it worked perfectly. He reported that EVERYTHING worked fine (even chat, file transfers, etc) WITHOUT re-configuring ICQ from its default settings. Your mileage might vary on this topic but I thought you might like to hear about this alternative configuration.

    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Heartbleed: Security experts reality-check the 3 most hysterical fears
Open source trounces proprietary software for code defects, Coverity analysis finds
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.