Setting Up The Proxy

Basic Requirements

The proxy is designed to transparently proxy and massage AIM and MSN messages. To do this, -and still be able to know the original destination-, I use a Linux 2.4.x kernel on the firewall, built with iptables.

Linux 2.4.x with ipchains -does not work-, as the original destination is not available. Rumour has it that Linux 2.2.x with ipchains provides a mechanism to retrieve the original destination, but I haven't checked into this yet.

I have put together a basic script to setup firewalling, with a fair amount of hand-holding checks along the way. It's available in CVS, and will be included in the fifth release.

Local LAN (eth0) Interface

The proxy expects to receive redirected AIM and MSN messages on ports 5190 and 1863 respectively.

• iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5190 -j REDIRECT --to-ports 5190
• iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1863 -j REDIRECT --to-ports 1863

If you have the firewall port restricted, you also need to allow the redirected connections to be received.

• iptables -A INPUT -i eth0 -p tcp --dport 5190 -j ACCEPT
• iptables -A INPUT -i eth0 -p tcp --dport 1863 -j ACCEPT

That's it for the inside, other than your usual rules for allowing other outbound connections.

External Network (ppp0) Interface

The proxy will massage the redirected AIM and MSN messages, and AIM Share, so that direct connections appear to be from the external IP address, on the port range 40000-40099. However, this is not enough - the AIM software does not honour the overrides ReAim uses, so we also listen to ports 4443 and 5566. For good measure, we listen to the MSN port too.

So, the very basic setup, in addition to you current ruleset, is to permit connections to these ports.

• iptables -A INPUT -i ppp0 -p tcp --dport 1863:1864 -j ACCEPT
• iptables -A INPUT -i ppp0 -p tcp --dport 4443 -j ACCEPT
• iptables -A INPUT -i ppp0 -p tcp --dport 5566 -j ACCEPT
• iptables -A INPUT -i ppp0 -p tcp --dport 40000:40099 -j ACCEPT

All done.

Troubleshooting

1. Start up with 'reaim -d' and check for obvious error messages.
2. Check that there are no [FATAL] lines showing listenning socket errors. This shows that reaim is listenning for connections.
3. Connect to AIM from a machine inside your lan. This should have [CONN_BH] and [CONN_NB] lines creating and establishing connections. This shows your firewall is redirecting correctly.
4. If reaim takes 100% cpu during step 3, it is likely you have redirected reaim back to itself. Check you can 'telnet login.oscar.aol.com 5190' from the firewall without reaim running.
5. With reaim running, try a direct connect to a friend who is not behind a firewall. If this fails, check the incoming firewall rules are allowing connections as shown above.
6. Try a file transfer, instead of a direct connect.
7. Report a possible bug, with versions of clients, network setups, etc.