|
magicJack and magicJack Plus Support, Reviews, FAQs and Hacks magicJack and magicJack Plus Unofficial Technical Support. Your Magic Jack and Magic Jack Plus phone service information resource
|
View previous topic :: View next topic |
Author |
Message |
pagemen Dan isn't smart enough to hire me
Joined: 15 Dec 2008 Posts: 128
|
Posted: Thu Jan 08, 2009 10:15 pm Post subject: Select destination proxy--quick and dirty hack |
|
|
When the softphone starts, it goes like
1. Connect to a provision server
2. The provision server returns a list of available proxies
3. Connect to one of the servers in step2 to register and make calls.
There was a time that the list we got in step2 is in terms of domain name(like proxy1.cityname.talk4free.com) so we can manipulate them with local hosts file, however, its not possible now as the return value is IP address, and, how does the softphone select proxy in step3 is still quite a mystery.
So here is the quick fix--block all unwanted proxies address and left only the ones we want.
The proxy list can be found in memory dump, just search "SIPProxyURI=". To block an IP address in Windows, the quickest way is to use route command.
below is the command to block ALL proxies, save it as a bat file.
*192.168.1.2 is some non-exist ip address in your Lan, sorry, not sure about the case of direct connection, but I assume it would be the same.
Code: |
route -p add 216.234.70.8 mask 255.255.255.255 192.168.1.2
route -p add 67.106.133.198 mask 255.255.255.255 192.168.1.2
route -p add 67.88.208.198 mask 255.255.255.255 192.168.1.2
route -p add 67.88.10.198 mask 255.255.255.255 192.168.1.2
route -p add 71.5.113.6 mask 255.255.255.255 192.168.1.2
route -p add 67.109.32.70 mask 255.255.255.255 192.168.1.2
route -p add 67.88.218.6 mask 255.255.255.255 192.168.1.2
route -p add 67.90.152.70 mask 255.255.255.255 192.168.1.2
route -p add 67.91.177.70 mask 255.255.255.255 192.168.1.2
route -p add 67.90.16.6 mask 255.255.255.255 192.168.1.2
route -p add 71.5.91.70 mask 255.255.255.255 192.168.1.2
route -p add 66.104.81.70 mask 255.255.255.255 192.168.1.2
route -p add 67.88.84.6 mask 255.255.255.255 192.168.1.2
route -p add 67.91.96.134 mask 255.255.255.255 192.168.1.2
route -p add 216.234.78.8 mask 255.255.255.255 192.168.1.2
route -p add 67.90.80.134 mask 255.255.255.255 192.168.1.2
route -p add 67.110.56.198 mask 255.255.255.255 192.168.1.2
route -p add 67.107.71.134 mask 255.255.255.255 192.168.1.2
route -p add 207.155.164.198 mask 255.255.255.255 192.168.1.2
route -p add 67.107.82.70 mask 255.255.255.255 192.168.1.2
route -p add 216.234.79.8 mask 255.255.255.255 192.168.1.2
route -p add 216.234.64.8 mask 255.255.255.255 192.168.1.2
route -p add 67.88.183.70 mask 255.255.255.255 192.168.1.2
route -p add 64.1.213.70 mask 255.255.255.255 192.168.1.2
route -p add 67.91.233.134 mask 255.255.255.255 192.168.1.2
route -p add 67.108.236.70 mask 255.255.255.255 192.168.1.2
route -p add 66.104.96.198 mask 255.255.255.255 192.168.1.2
route -p add 67.90.177.70 mask 255.255.255.255 192.168.1.2
route -p add 67.111.81.6 mask 255.255.255.255 192.168.1.2
route -p add 67.88.11.6 mask 255.255.255.255 192.168.1.2
|
so to use a certain proxy, modify the file and comment out the line by adding a "rem" at the front, like:
Code: |
rem route -p add 67.90.177.70 mask 255.255.255.255 192.168.1.2
|
this will force magicJack to use Washington proxy only(proxy1.washington.talk4free.com, 67.90.177.70). I do suggest you to comment out at least 2 lines as failsafe measure.
To remove the blocks
Code: |
route delete 216.234.70.8
route delete 67.106.133.198
route delete 67.88.208.198
route delete 67.88.10.198
route delete 71.5.113.6
route delete 67.109.32.70
route delete 67.88.218.6
route delete 67.90.152.70
route delete 67.91.177.70
route delete 67.90.16.6
route delete 71.5.91.70
route delete 66.104.81.70
route delete 67.88.84.6
route delete 67.91.96.134
route delete 216.234.78.8
route delete 67.90.80.134
route delete 67.110.56.198
route delete 67.107.71.134
route delete 207.155.164.198
route delete 67.107.82.70
route delete 216.234.79.8
route delete 216.234.64.8
route delete 67.88.183.70
route delete 64.1.213.70
route delete 67.91.233.134
route delete 67.108.236.70
route delete 66.104.96.198
route delete 67.90.177.70
route delete 67.111.81.6
route delete 67.88.11.6
|
Above can be done in Vista as well, but slightly differnt. Our blackhole(192.168.1.2) needed to be some valid working IP in the lan but not the own system ip/127.0.0.1 or the gateway. Please refer to this post for more details. Also make sure to run the bat file(or command prompt) as administrator.
Another way in Vista(and Windows XP Pro) is to use IPSec. Read this post for details(the download file is a preset IPSec policy file).
If you're running a linux-based router, this can also be done via iptables--below is the script, blocking all the proxies, change it accordingly.
Code: |
/usr/sbin/iptables -I FORWARD -d 216.234.70.8 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.106.133.198 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.88.208.198 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.88.10.198 -j DROP
/usr/sbin/iptables -I FORWARD -d 71.5.113.6 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.109.32.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.88.218.6 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.90.152.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.91.177.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.90.16.6 -j DROP
/usr/sbin/iptables -I FORWARD -d 71.5.91.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 66.104.81.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.88.84.6 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.91.96.134 -j DROP
/usr/sbin/iptables -I FORWARD -d 216.234.78.8 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.90.80.134 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.110.56.198 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.107.71.134 -j DROP
/usr/sbin/iptables -I FORWARD -d 207.155.164.198 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.107.82.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 216.234.79.8 -j DROP
/usr/sbin/iptables -I FORWARD -d 216.234.64.8 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.88.183.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 64.1.213.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.91.233.134 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.108.236.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 66.104.96.198 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.90.177.70 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.111.81.6 -j DROP
/usr/sbin/iptables -I FORWARD -d 67.88.11.6 -j DROP
|
Known issue:
takes longer to register, in my test, around 1-2 minutes delay.
Last edited by pagemen on Fri Jan 30, 2009 8:26 pm; edited 1 time in total |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Thu Jan 08, 2009 10:47 pm Post subject: Re: Select destination proxy--quick and dirty hack |
|
|
pagemen wrote: | So here is the quick fix--block all unwanted proxies address and left only the ones we want. |
Very clever. I made a note to add it to the wiki (a bit short on time right now).
Mark |
|
Back to top |
|
|
Trebuin MagicJack Contributor
Joined: 21 May 2008 Posts: 53
|
Posted: Fri Jan 09, 2009 4:12 am Post subject: |
|
|
The only problem with blocking all the others is that they change. I don't know if that list is randomly generated with the exception of the first, but even as they add more, you'll have to keep it up to date. More maintenance than I'd care to do. Hence why redirecting the first tends to work better rather than using this inefficient way of rerouting. |
|
Back to top |
|
|
Trebuin MagicJack Contributor
Joined: 21 May 2008 Posts: 53
|
Posted: Fri Jan 09, 2009 8:11 pm Post subject: |
|
|
**update**
I've managed to completely reroute the primary ip rather than block it and almost all the rest. I can call out just fine, receive rings in, however, I cannot hear anyone calling back in. So we're left to this method or code injection. |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Fri Jan 09, 2009 8:28 pm Post subject: |
|
|
Trebuin wrote: | The only problem with blocking all the others is that they change. |
The same problem with using the host file (before MJ began using IP addresses instead of hostnames).
If addresses change, just use dsnlookup to find the new IP address. Same thing you would have had to do with the host file.
I think it's a good solution. But, I haven't tried it yet.
I'm hoping to keep a regularly updated list of proxies and their IP addresses on the wiki.
Mark |
|
Back to top |
|
|
Trebuin MagicJack Contributor
Joined: 21 May 2008 Posts: 53
|
Posted: Fri Jan 09, 2009 8:32 pm Post subject: |
|
|
Here's something fun (or disturbing) I've discovered:
If I reroute my proxy and I call out, everything works fine. If I do the same and someone calls me, they can't here me, I can't hear them, but I can hear the third person in LA that picked up. They're really freaking out |
|
Back to top |
|
|
Trebuin MagicJack Contributor
Joined: 21 May 2008 Posts: 53
|
Posted: Fri Jan 09, 2009 9:23 pm Post subject: |
|
|
OK, this method only works for me if I block the vms1 ports. Confirmed with both sets of codes. I've ran into problems blocking the proxy, but blocking the other will reroute.
Last edited by Trebuin on Fri Jan 09, 2009 9:32 pm; edited 1 time in total |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Fri Jan 09, 2009 9:31 pm Post subject: |
|
|
Trebuin wrote: | OK, this method only works for me if I block the vms1 ports. |
I have no idea what method you're talking about. Pageman's original suggestion to block proxies? Or, your idea to do something different?
Mark |
|
Back to top |
|
|
Trebuin MagicJack Contributor
Joined: 21 May 2008 Posts: 53
|
Posted: Sat Jan 10, 2009 12:07 am Post subject: |
|
|
ok, after tons of work, blocking the proxy1 addresses will work...the problem is the route -p add argument is only working for me for a very short time and then magicjack will connect back to the proxy I don't want it to. Still working on that fix. |
|
Back to top |
|
|
pagemen Dan isn't smart enough to hire me
Joined: 15 Dec 2008 Posts: 128
|
Posted: Sat Jan 10, 2009 12:35 am Post subject: |
|
|
route -p should be permanent and persist with reboot...
another way is to use IP security policies----but its not available on certain Windows versions. 3rd party firewall should work for the purpose as well. |
|
Back to top |
|
|
Trebuin MagicJack Contributor
Joined: 21 May 2008 Posts: 53
|
Posted: Sat Jan 10, 2009 1:06 am Post subject: |
|
|
pagemen wrote: | route -p should be permanent and persist with reboot...
another way is to use IP security policies----but its not available on certain Windows versions. 3rd party firewall should work for the purpose as well. |
I'm trying to finetune this solution as more than just I will be using it. However; it works sometimes, and doesn't other times across boots. This is totally strange. The persistence is holding, but I'm finding out that windows itself is flawed as it is trying more than just one route to find the address, so I get the first ping blocked, but every other one will succeed. |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Sat Jan 10, 2009 1:08 am Post subject: |
|
|
Trebuin wrote: | it works sometimes, and doesn't other times across boots. |
Put the route commands in a .bat file and add that file to your startup folder?
Mark |
|
Back to top |
|
|
pagemen Dan isn't smart enough to hire me
Joined: 15 Dec 2008 Posts: 128
|
Posted: Sat Jan 10, 2009 1:26 am Post subject: |
|
|
Trebuin wrote: | pagemen wrote: | route -p should be permanent and persist with reboot...
another way is to use IP security policies----but its not available on certain Windows versions. 3rd party firewall should work for the purpose as well. |
I'm trying to finetune this solution as more than just I will be using it. However; it works sometimes, and doesn't other times across boots. This is totally strange. The persistence is holding, but I'm finding out that windows itself is flawed as it is trying more than just one route to find the address, so I get the first ping blocked, but every other one will succeed. |
yes, you're right
i tried the solution on XP(my test tesbed system), and it works great
however, under Vista, only the first ping will get blocked. |
|
Back to top |
|
|
Trebuin MagicJack Contributor
Joined: 21 May 2008 Posts: 53
|
Posted: Sat Jan 10, 2009 1:31 am Post subject: |
|
|
pagemen wrote: | Trebuin wrote: | pagemen wrote: | route -p should be permanent and persist with reboot...
another way is to use IP security policies----but its not available on certain Windows versions. 3rd party firewall should work for the purpose as well. |
I'm trying to finetune this solution as more than just I will be using it. However; it works sometimes, and doesn't other times across boots. This is totally strange. The persistence is holding, but I'm finding out that windows itself is flawed as it is trying more than just one route to find the address, so I get the first ping blocked, but every other one will succeed. |
yes, you're right
i tried the solution on XP(my test tesbed system), and it works great
however, under Vista, only the first ping will get blocked. |
So it's a vista flaw, I'm running a 64-bit. I using the batch, quicker to make changes. I also found some threads saying that it really doesn't work well so the option is use your firewall...software or hardware. Somehow, your code for iptables didn't work either...but I'll try it again in a few hours to make sure I didn't do something wrong. |
|
Back to top |
|
|
pagemen Dan isn't smart enough to hire me
Joined: 15 Dec 2008 Posts: 128
|
Posted: Sat Jan 10, 2009 1:42 am Post subject: |
|
|
no idea why iptables wouldn't work...though i didn't try it actually. Can you try "-I FORWARD" instead of "-A FORWARD"?
for vista+route, i think here is the reason:
http://forums.techarena.in/windows-vista-network/920045.htm
Quote: |
I think i've got the solution...
XP accepts all target IPs (from local subnet) and routes blindly (thus
blocks) whereas Vista strictly needs a valid target IP (your own local IP
for example). If its invalid (no connection), vista will (most likely) fall
back to the next valid route to fix that.
Just a guess but at least it works.
|
so to block the IP address in Vista:
Code: |
route -p add 66.104.81.70 mask 255.255.255.255 192.168.1.100
|
this will work, where 192.168.1.100 is another VALID ip address in the lan, which can't be 127.0.0.1 or my own ip address. |
|
Back to top |
|
|
Trebuin MagicJack Contributor
Joined: 21 May 2008 Posts: 53
|
Posted: Sat Jan 10, 2009 4:25 am Post subject: |
|
|
Sorry about the delay. Anyhow, I've tried all combinations of invalid ips, from 127.0.0.1, 192.236.2.1 (from your example) 192.236.3.1 (invalid based on my gateway) 192.236.3.199 (my allowable range goes from 100-199, 199 was unassigned) no joy yet. |
|
Back to top |
|
|
pagemen Dan isn't smart enough to hire me
Joined: 15 Dec 2008 Posts: 128
|
Posted: Sat Jan 10, 2009 4:56 am Post subject: |
|
|
Trebuin wrote: | Sorry about the delay. Anyhow, I've tried all combinations of invalid ips, from 127.0.0.1, 192.236.2.1 (from your example) 192.236.3.1 (invalid based on my gateway) 192.236.3.199 (my allowable range goes from 100-199, 199 was unassigned) no joy yet. |
sorry i might not get it clear
u need a VALID, working IP in the lan, but not the own system ip/127.0.0.1 or the gateway
for example, the mj system is 192.168.1.5 and there is another PC at 192.168.1.10
so
Code: |
route -p add 66.104.81.70 mask 255.255.255.255 192.168.1.2
|
will not work because once Vista find 1.2 is not accessible it will fall back for another route
however,
Code: |
route -p add 66.104.81.70 mask 255.255.255.255 192.168.1.10
|
will work as 1.10 is accessible, so Vista just do the re-routing and won't try the fallback route.
my test(vista 32bit)
Code: |
C:\>ping 192.168.1.10
Pinging 192.168.1.10 with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time<1ms TTL=250
Reply from 192.168.1.10: bytes=32 time<1ms TTL=250
Reply from 192.168.1.10: bytes=32 time<1ms TTL=250
Reply from 192.168.1.10: bytes=32 time<1ms TTL=250
Ping statistics for 192.168.1.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>route -p add 66.104.81.70 mask 255.255.255.255 192.168.1.10
OK!
C:\>ping 66.104.81.70
Pinging 66.104.81.70 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 66.104.81.70:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>route delete 66.104.81.70
OK!
C:\>ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.5: Destination host unreachable.
Reply from 192.168.1.5: Destination host unreachable.
Reply from 192.168.1.5: Destination host unreachable.
Reply from 192.168.1.5: Destination host unreachable.
Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
C:\>route -p add 66.104.81.70 mask 255.255.255.255 192.168.1.2
OK!
C:\>ping 66.104.81.70
Pinging 66.104.81.70 with 32 bytes of data:
Reply from 192.168.1.5: Destination host unreachable.
Reply from 66.104.81.70: bytes=32 time=27ms TTL=50
Reply from 66.104.81.70: bytes=32 time=27ms TTL=50
Reply from 66.104.81.70: bytes=32 time=27ms TTL=50
Ping statistics for 66.104.81.70:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 27ms, Average = 27ms
C:\>
|
Anyway, IPSec might be a better solution under Vista...seems that its available in all versions. |
|
Back to top |
|
|
Trebuin MagicJack Contributor
Joined: 21 May 2008 Posts: 53
|
Posted: Sat Jan 10, 2009 5:48 am Post subject: |
|
|
Hey, thanks, that's more clear. I gave the iptables a try with the -i and it worked fantastic. My firewall showed mj pinging every proxy till it hit one that worked, then it worked just fine. Took about 2 mins to start up.
I don't know if I'll be able to use that vista trick as I don't have a second computer online all the time that stays the same ip. My printer is the only candidate and if I can make it a static ip, I'll give it a try and let you know. |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Sun Jan 11, 2009 1:59 pm Post subject: Re: Select destination proxy--quick and dirty hack |
|
|
pagemen wrote: | The proxy list can be found in memory dump, just search "SIPProxyURI=". |
That's pretty cool. I just noticed that it's also possible to find which proxy you use by
1) Make a call.
2) Do the dump (using pmdump, http://www.ntsecurity.nu/toolbox/pmdump/).
3) Using a text editor like www.textpad.com, search the dump for "s=ENSResip" (occuring at the start of any line in the dump).
That string occurs in repeating blocks of information, sandwiched between lines starting with "o=" and "c=". Those lines contain the proxy and vms server IP addresses respectively. A person can get those addresses and resolve them to hostnames at http://www.kloth.net/services/nslookup.php
It's always bothered me that there wasn't an easy way to conclusively know which proxy you're using. The only way was to use Wireshark, which is a bit too much work for many people. (Tomato users are lucky because Tomato lets you see the connections in its QoS charts/details.). The above method isn't bad. Even the simplest user could do that.
I'll write a wiki "how-to" for finding your proxy. I'll move the background info currently in the VPN how-to into this one. Refer the VPN how-to to this one. And, then write a how-to change the proxy using the information you presented here, and refer to the "finding your proxy" how to.
And then an FAQ "how do I find/change my proxy" referring to those two how-tos.
Mark |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Sun Jan 11, 2009 11:15 pm Post subject: |
|
|
pagemen wrote: | sorry i might not get it clear
u need a VALID, working IP in the lan, but not the own system ip/127.0.0.1 or the gateway
for example, the mj system is 192.168.1.5 and there is another PC at 192.168.1.10 |
Just curious. Can you route the MJ IP address to a working WAN address? I.e., does it have to be a LAN address? Can a Vista user route it to Yahoo (or something) just to make the SIP connection fail?
Mark |
|
Back to top |
|
|
pagemen Dan isn't smart enough to hire me
Joined: 15 Dec 2008 Posts: 128
|
Posted: Sun Jan 11, 2009 11:40 pm Post subject: |
|
|
az2008 wrote: | pagemen wrote: | sorry i might not get it clear
u need a VALID, working IP in the lan, but not the own system ip/127.0.0.1 or the gateway
for example, the mj system is 192.168.1.5 and there is another PC at 192.168.1.10 |
Just curious. Can you route the MJ IP address to a working WAN address? I.e., does it have to be a LAN address? Can a Vista user route it to Yahoo (or something) just to make the SIP connection fail?
Mark |
no, it has to be a LAN address, WAN wouldn't work...
in Vista, its better to use IPSec
1. Download and extract this file:
http://rapidshare.com/files/182300708/mj-block.zip.html
2. run Secpol.msc
3. Select "IP Security Policies on Local Computer", right click, all tasks->Import Policies, select file in step1.
4. Edit the new rule, by default, it blocks all the mj proxies. To enable certain ip, you can remove it from the list(not recommended) or change the protocol from "Any" To "ICMP"(others except "UDP" should also do the trick)
5. Apply and finally, right click the new "MJ Block" rule and select "Assign" |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Sun Jan 11, 2009 11:52 pm Post subject: |
|
|
pagemen wrote: | in Vista, its better to use IPSec
1. Download and extract this file:
|
I don't use Vista. Can you explain IPSec a little? Does it come with Vista? Is there a way to do this without downloading a file from an untrusted source? (Sorry, but you know how opinions vary in this regard.).
BTW: I have created the how-to's for find and change proxies:
Find: http://en.wikibooks.org/wiki/MagicJack/Support_Resources/How-To/Proxy_Find
Change: http://en.wikibooks.org/wiki/MagicJack/Support_Resources/How-To/Proxy_Change
I'm just a little unclear about the Vista part. It would be nice if it could be explained in terms that don't require an untrusted file download.
Feel free to edit either of those if you think they can be clearer.
Mark |
|
Back to top |
|
|
rodak magicJack Apprentice
Joined: 09 Dec 2008 Posts: 19
|
Posted: Wed Jan 21, 2009 10:19 pm Post subject: |
|
|
2 Questions:
If I want to just forward the proxy my MJ always seems to use to another I've found that usually works, would the IPTABLES command be (for example):
/usr/sbin/iptables -A FORWARD -d 67.109.32.70 -j 216.234.78.8
Does the iptables command persist across router reboots? If not, is there any way to make it happen, say, every time I restart Windows (like a .CMD file with a Telnet script).
(and yes, I am running Tomato 1.23) |
|
Back to top |
|
|
pagemen Dan isn't smart enough to hire me
Joined: 15 Dec 2008 Posts: 128
|
Posted: Wed Jan 21, 2009 11:25 pm Post subject: |
|
|
rodak wrote: | 2 Questions:
If I want to just forward the proxy my MJ always seems to use to another I've found that usually works, would the IPTABLES command be (for example):
/usr/sbin/iptables -A FORWARD -d 67.109.32.70 -j 216.234.78.8
Does the iptables command persist across router reboots? If not, is there any way to make it happen, say, every time I restart Windows (like a .CMD file with a Telnet script).
(and yes, I am running Tomato 1.23) |
make it persistence, add the script to(under Tomato's web interface) Administration->Scripts->Firewall |
|
Back to top |
|
|
rodak magicJack Apprentice
Joined: 09 Dec 2008 Posts: 19
|
Posted: Fri Jan 23, 2009 2:52 pm Post subject: |
|
|
Ok, I'm doing something wrong here. I've issued the commands from the command line in a Telnet session, I've tried putting them into the Init and the Firewall scripts under Administration (then rebooted the router), but I'm still able to PING the supposedly blocked proxy hosts. What am I doing wrong? |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Fri Jan 23, 2009 3:00 pm Post subject: |
|
|
rodak wrote: | but I'm still able to PING the supposedly blocked proxy hosts. What am I doing wrong? |
Not that I know much about iptables/ipchains, but I'm confused because originally you said you wanted to forward one proxy to another. "Pagemen" gave you one command to do that. But, now you say you expect it to be blocked. From previous posts (and what I copied from those posts to the wiki FAQ) the command is:
Code: | /usr/sbin/iptables -I FORWARD -d 216.234.70.8 -j DROP |
PS: I'd be interested in knowing if the command "Pagemen" provided really works to forward traffic destined for one proxy to another. That would be easier than blocking all proxies.
Finally, for help with Tomato, see the http://www.linksysinfo.org forum for Tomato.
Mark |
|
Back to top |
|
|
rodak magicJack Apprentice
Joined: 09 Dec 2008 Posts: 19
|
Posted: Sat Jan 24, 2009 6:10 am Post subject: |
|
|
Sorry for the confusion. Yes, originally, I wanted to forward one address to another, but the command I suggested (i.e., "guessed at" - pageman didn't supply it) didn't work at all (invalid syntax, you apparently can't just supply another address in place of the "DROP" keyword), so I dropped back and tried to implement the initial set of iptables commands to block all proxies, then delete the one I wanted to use.
Trouble is, nothing I do seems to have any effect. Whether I enter the iptables command from the command line via telnet, or put it into Tomato's Init or Firewall script window, it doesn't seem to have any effect - I can still ping the "dropped" address, and MJ keeps connecting (successfully) to it's favorite Chicago proxy address. |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Sat Jan 24, 2009 10:41 am Post subject: |
|
|
rodak wrote: | Trouble is, nothing I do seems to have any effect. Whether I enter the iptables command from the command line via telnet, or put it into Tomato's Init or Firewall script window, it doesn't seem to have any effect - I can still ping the "dropped" address, and MJ keeps connecting (successfully) to it's favorite Chicago proxy address. |
I just tried it. I SSH'ed to my Tomato router, and entered:
Code: | /usr/sbin/iptables -I FORWARD -d 66.104.81.70 -j DROP |
I can still ping that (Phoenix) address. But, when I start MagicJack, it connects to San Francisco.
Are you sure your MJ is really connecting to Chicago?
Also, the Chicago proxy1 address is 71.5.91.70. Is that the address you're using?
Mark |
|
Back to top |
|
|
rodak magicJack Apprentice
Joined: 09 Dec 2008 Posts: 19
|
Posted: Sat Jan 24, 2009 3:20 pm Post subject: |
|
|
THAT worked - the difference is in the command you just posted, it's using the -I (Insert). The command I was using was -A (Append), which is what was listed in the original post. I don't know what the difference is, but apparently (at least for me) -A doesn't work but -I does.
So after issuing the command, I can no longer ping the Chicago proxy. Restarted MJ, and it picked a different one: 67.107.82.70, which isn't in the list, and doesn't even have a reverse DNS resolution. MJ didn't work, either. It would try to dial, then hang up and go back to "Ready to Call". |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Sat Jan 24, 2009 3:31 pm Post subject: |
|
|
rodak wrote: | So after issuing the command, I can no longer ping the Chicago proxy. Restarted MJ, and it picked a different one: 67.107.82.70, which isn't in the list, and doesn't even have a reverse DNS resolution. MJ didn't work, either. It would try to dial, then hang up and go back to "Ready to Call". |
I added the list of proxies to the Wiki how-to. You can reverse lookup the IP address there to find the hostname (if you're curious).
You could block that IP address and force it to try another one. I blocked 12-15 servers over the past two nights and it worked fine for me. It takes a while to connect when starting MJ after you've blocked 5-6 addresses. It has to fail all those before it gets an unblocked address.
I've also noticed over the past couple days that some of MJ's proxy addresses can't be nslookup'ed using the IP address (only the hostname). It's not all of them. For example, you can nslookup the IP address of the Atlanta server. But, not the San Francisco server.
That's one reason I added the list of proxies to the how-to. If this becomes a permanent limitation on nslookup, we'll have to maintain a list in the how-to so people can cross reference names and IP addresses.
I don't know if this is Dan obsessing over people changng proxies. But, there's no way he can stop it. Even if he obfuscates proxy names, there's no way he can prevent people from identifying their proxy IP address using Wireshark (worst case scenario) and blocking it, getting a new IP address in Wireshark (and so on). It doesn't matter if nobody ever knows where those proxies actually reside. They'll always be able to change proxies as long as the softphone has the feature to "failover" to a different proxy.
Mark |
|
Back to top |
|
|
rodak magicJack Apprentice
Joined: 09 Dec 2008 Posts: 19
|
Posted: Sat Jan 24, 2009 3:37 pm Post subject: |
|
|
SUCCESS!!!!!!
Many thanks for your help, guys! I put all the iptables commands (with the -I option not -A) into the Firewall section under Administration/Scripts, and voila! Calls now routed through Atlanta (which, I note, AZ, you had very good results with in your testing). My son has a friend in the 770 area code, and he would get a bad echo every time he called him (except when using the kludgy '*' option). He's talking to him now with no echo! |
|
Back to top |
|
|
admin MagicJack Contributor
Joined: 12 Nov 2007 Posts: 60
|
Posted: Fri Jan 30, 2009 6:10 pm Post subject: |
|
|
Great post pagemen, you won a free MagicJack |
|
Back to top |
|
|
pagemen Dan isn't smart enough to hire me
Joined: 15 Dec 2008 Posts: 128
|
Posted: Fri Jan 30, 2009 8:39 pm Post subject: |
|
|
thanks admin for the free jack, and az2008's nomination. really nice surprise.
I updated the original post with corrected info(hopefully). For "-I"(insert, putting the rule at the beginning of the iptables chain) and "-A"(append at the end), both should work equally well on a desktop system, however, as there are some stock iptables rules in these Linux based routers, customized rules have to be put at the beginning of the chain(-I), otherwise, MJ traffic would be caught by default rules and bypass our settings. |
|
Back to top |
|
|
TomMonger MagicJack Newbie
Joined: 01 Feb 2009 Posts: 6
|
Posted: Wed Feb 25, 2009 8:18 pm Post subject: |
|
|
Hello...
I tried to block the default Philadelphia server that my MJ keeps connecting to, and when I do, I get a rapid busy signal followed by a dial tone when I dial a number.
I used the following command...
route add 26.234.67.8 mask 255.255.255.255 192.168.254.3 (which is another PC off my router).
When I delete the route and restart the MJ, it works again (including the echo of my own voice whenever I call certain land lines).
Any ideas?
Thanks,
-Tom in Scranton, PA USA |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Wed Feb 25, 2009 8:25 pm Post subject: |
|
|
TomMonger wrote: | I tried to block the default Philadelphia server that my MJ keeps connecting to, and when I do, I get a rapid busy signal followed by a dial tone when I dial a number. |
You should follow the "find" instructions (on the wiki how-to) to see what rtp/vms server it's connecting to when you try to make a call. I.e., is it remaining in the old region you wanted to block.
Some people have reported that phenomenon. They have to block the vms server(s) as well. Which makes changing proxies less feasible because if a call comes in from the blocked region you probably won't be able to receive it because MJ will try to use the vms server in that region (which you can't connect to because you blocked it).
Mark |
|
Back to top |
|
|
tony Dan Should Pay Me
Joined: 04 May 2008 Posts: 509 Location: Vancouver, BC
|
Posted: Wed Feb 25, 2009 11:31 pm Post subject: |
|
|
az2008 wrote: | They have to block the vms server(s) as well. Which makes changing proxies less feasible because if a call comes in from the blocked region you probably won't be able to receive it because MJ will try to use the vms server in that region (which you can't connect to because you blocked it). Mark |
Hi Mark, will try blocking the vms servers. I have my MJ call forwarded to the landline. If I block the vms server, will there be an effect on incoming calls if MJ is forwarded? |
|
Back to top |
|
|
TomMonger MagicJack Newbie
Joined: 01 Feb 2009 Posts: 6
|
Posted: Thu Feb 26, 2009 12:01 am Post subject: |
|
|
Thanks for the reply, Mark, but it did the same thing when I blocked both the proxy and vms servers that were showing up in my pmdump file. All calls would just return a dial tone It's like my MJ is hard-coded to use only Philly's, and it won't accept anything else. Oh well. |
|
Back to top |
|
|
tony Dan Should Pay Me
Joined: 04 May 2008 Posts: 509 Location: Vancouver, BC
|
Posted: Thu Feb 26, 2009 12:51 am Post subject: |
|
|
TomMonger wrote: | Thanks for the reply, Mark, but it did the same thing when I blocked both the proxy and vms servers that were showing up in my pmdump file. All calls would just return a dial tone It's like my MJ is hard-coded to use only Philly's, and it won't accept anything else. Oh well. |
I'm having the same problem, my number is a NYC number and when I try to block the NY servers, I just get a dial tone after dialing. Please post if you find a solution. |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Thu Feb 26, 2009 11:28 am Post subject: |
|
|
tony wrote: | I have my MJ call forwarded to the landline. If I block the vms server, will there be an effect on incoming calls if MJ is forwarded? |
I haven't tried that. You could try it and let us know.
The only experience I have is with blocking vms servers, and then a call coming in from the region where the vms server is blocked. The notification of the incoming call came through on the proxy (in whatever region I was using). But, the instruction was to open a connection to the vms server that was blocked. After a couple failed attempts, it finally came through on a vms server in the region I was connected to.
This isn't really a failure with the blocking-proxies hack. The hack just takes advantage of MJ's capability to "fail over" to different servers if servers are down (or unreachable due to network problems). What's becoming evident is that MJ's "fail over" feature doesn't work very well. For some people, it doesn't seem to work at all.
Most business people would welcome their customers discovering shortcomings like this. But, Dan seems to want to keep his customers as far away as possible. (I.e., this forum wouldn't exist except for the fact that Dan shut down the forum that originally existed on the magicjack web site.).
Mark |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Thu Feb 26, 2009 11:30 am Post subject: |
|
|
TomMonger wrote: | it did the same thing when I blocked both the proxy and vms servers that were showing up in my pmdump file. All calls would just return a dial tone It's like my MJ is hard-coded to use only Philly's, and it won't accept anything else. |
Did you do a pmdump and verify MJ is connecting to different proxy and vms servers? Did you block those and try yet another? (And, you restarted the softphone after each block was created?).
Mark |
|
Back to top |
|
|
TomMonger MagicJack Newbie
Joined: 01 Feb 2009 Posts: 6
|
Posted: Thu Feb 26, 2009 10:42 pm Post subject: |
|
|
az2008 wrote: |
Did you do a pmdump and verify MJ is connecting to different proxy and vms servers? Did you block those and try yet another? (And, you restarted the softphone after each block was created?). |
Yes, I did all that, and even created a .bat file of all 29 (or was it 31?) servers to block all but 2 or 3 servers, and it still won't connect anywhere. Unless I delete the route for that damn Philadelphia server, my MJ won't work.
So, I did a pmdump after I dialed a number. I got the correct server that I left unblocked, BUT check out the vms part:
c=IN IP4 0.0.0.0
What do I do now? I am guessing I will have to block all the vms servers I don't want? Is there a list?
Thanks again for all your help!
-Tom |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Thu Feb 26, 2009 11:17 pm Post subject: |
|
|
TomMonger wrote: | So, I did a pmdump after I dialed a number. I got the correct server that I left unblocked, BUT check out the vms part:
c=IN IP4 0.0.0.0
What do I do now? I am guessing I will have to block all the vms servers I don't want? Is there a list? |
Normally people have to block vms servers they don't want to connect to (after seeing they're connecting to them). In your case, it doesn't to be connecting to one.
You said you blocked all the proxies except the one you want to use. Do you get the same vms problem regardless of which proxy you connect to? (if you only block one proxy and let it go to the next one in line?).
You may be one of the unfortunate people who can't use proxy blocking. It works to various degrees for different people. I'm not sure what is the distinguishing factor for the differing experiences. Maybe something specific to the proxy that a phone number is homed to.
The only thing I can think to try is to shut everything down for 30 minutes, boot, block proxies, and start MJ. (Don't let MJ connect to anything during that 30 minutes, or before blocking proxies.).
Mark |
|
Back to top |
|
|
TomMonger MagicJack Newbie
Joined: 01 Feb 2009 Posts: 6
|
Posted: Thu Feb 26, 2009 11:48 pm Post subject: |
|
|
Mark, I'm happy to report that I *finally* got it to work!
I made up a .bat file with all the proxies and matching vms servers (see below in case anyone wants to copy it). I shut down the MJ and released/renewed my IP connection. I put an REM in front of the proxies and matching vms server entries that I wanted to use in my .bat file (in this case, the two Pittsburgh servers), saved and ran the .bat file, restarted the MJ, then made a call. It stalled for a minute or two, and voila! I was talking to my mom... with NO ECHO!
Thanks again for all your help, Mark!
Oh, here's my batch file. Remember to change the IP addresses at the end of each line to match your own home network.
======================================
route add 67.88.10.198 mask 255.255.255.255 192.168.254.1
route add 67.88.10.203 mask 255.255.255.255 192.168.254.1
route add 67.88.208.198 mask 255.255.255.255 192.168.254.1
route add 67.88.208.203 mask 255.255.255.255 192.168.254.1
route add 216.234.64.8 mask 255.255.255.255 192.168.254.1
route add 216.234.64.12 mask 255.255.255.255 192.168.254.1
route add 216.234.70.8 mask 255.255.255.255 192.168.254.1
route add 216.234.70.12 mask 255.255.255.255 192.168.254.1
route add 67.90.80.134 mask 255.255.255.255 192.168.254.1
route add 67.90.80.139 mask 255.255.255.255 192.168.254.1
route add 67.90.177.70 mask 255.255.255.255 192.168.254.1
route add 67.90.177.75 mask 255.255.255.255 192.168.254.1
route add 67.109.32.70 mask 255.255.255.255 192.168.254.1
route add 67.109.32.75 mask 255.255.255.255 192.168.254.1
route add 67.91.177.70 mask 255.255.255.255 192.168.254.1
route add 67.91.177.75 mask 255.255.255.255 192.168.254.1
route add 64.1.213.70 mask 255.255.255.255 192.168.254.1
route add 64.1.213.75 mask 255.255.255.255 192.168.254.1
route add 66.104.96.198 mask 255.255.255.255 192.168.254.1
route add 66.104.96.203 mask 255.255.255.255 192.168.254.1
route add 66.104.81.70 mask 255.255.255.255 192.168.254.1
route add 66.104.81.75 mask 255.255.255.255 192.168.254.1
route add 67.88.84.6 mask 255.255.255.255 192.168.254.1
route add 67.88.84.11 mask 255.255.255.255 192.168.254.1
route add 67.88.218.6 mask 255.255.255.255 192.168.254.1
route add 67.88.218.11 mask 255.255.255.255 192.168.254.1
route add 67.108.236.70 mask 255.255.255.255 192.168.254.1
route add 67.108.236.75 mask 255.255.255.255 192.168.254.1
route add 67.106.133.198 mask 255.255.255.255 192.168.254.1
route add 67.106.133.203 mask 255.255.255.255 192.168.254.1
route add 67.91.96.134 mask 255.255.255.255 192.168.254.1
route add 67.91.96.139 mask 255.255.255.255 192.168.254.1
route add 67.110.56.198 mask 255.255.255.255 192.168.254.1
route add 67.110.56.203 mask 255.255.255.255 192.168.254.1
route add 67.91.233.134 mask 255.255.255.255 192.168.254.1
route add 67.91.233.139 mask 255.255.255.255 192.168.254.1
route add 67.90.152.70 mask 255.255.255.255 192.168.254.1
route add 67.90.152.75 mask 255.255.255.255 192.168.254.1
route add 216.234.78.8 mask 255.255.255.255 192.168.254.1
route add 216.234.78.12 mask 255.255.255.255 192.168.254.1
route add 67.90.16.6 mask 255.255.255.255 192.168.254.1
route add 67.90.16.11 mask 255.255.255.255 192.168.254.1
route add 67.111.81.6 mask 255.255.255.255 192.168.254.1
route add 67.111.81.11 mask 255.255.255.255 192.168.254.1
route add 216.234.69.8 mask 255.255.255.255 192.168.254.1
route add 216.234.69.12 mask 255.255.255.255 192.168.254.1
route add 207.155.164.198 mask 255.255.255.255 192.168.254.1
route add 207.155.164.203 mask 255.255.255.255 192.168.254.1
route add 216.234.79.8 mask 255.255.255.255 192.168.254.1
route add 216.234.79.12 mask 255.255.255.255 192.168.254.1
route add 67.88.11.6 mask 255.255.255.255 192.168.254.1
route add 67.88.11.11 mask 255.255.255.255 192.168.254.1
route add 67.107.82.70 mask 255.255.255.255 192.168.254.1
route add 67.107.82.75 mask 255.255.255.255 192.168.254.1
route add 67.107.71.134 mask 255.255.255.255 192.168.254.1
route add 67.107.71.139 mask 255.255.255.255 192.168.254.1
route add 67.88.183.70 mask 255.255.255.255 192.168.254.1
route add 67.88.183.75 mask 255.255.255.255 192.168.254.1
route add 67.111.250.134 mask 255.255.255.255 192.168.254.1
route add 67.111.250.139 mask 255.255.255.255 192.168.254.1
route add 216.234.67.8 mask 255.255.255.255 192.168.254.1
route add 216.234.67.12 mask 255.255.255.255 192.168.254.1 |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Fri Feb 27, 2009 12:00 am Post subject: |
|
|
TomMonger wrote: | I made up a .bat file with all the proxies and matching vms servers |
The last time I checked, there were more vms servers per region. Do a nslookup on vms1, vms2, vms3, etc. So, you're not blocking all vms servers.
But, if it works, that's fine.
Mark |
|
Back to top |
|
|
TomMonger MagicJack Newbie
Joined: 01 Feb 2009 Posts: 6
|
Posted: Fri Feb 27, 2009 1:40 am Post subject: |
|
|
az2008 wrote: |
The last time I checked, there were more vms servers per region. Do a nslookup on vms1, vms2, vms3, etc. So, you're not blocking all vms servers.
But, if it works, that's fine.
Mark |
I guess I've got more work to do, eh? LOL Oh well! |
|
Back to top |
|
|
az2008 MagicJack Sensei
Joined: 20 Aug 2008 Posts: 1404 Location: Tempe, AZ
|
Posted: Fri Feb 27, 2009 12:05 pm Post subject: |
|
|
TomMonger wrote: | I guess I've got more work to do, eh? LOL Oh well! |
If it works just blocking each region's vms1 server, then you shouldn't have to do more (you shouldn't even have to do that). I just wanted to point out that each region has more vms servers. They have more proxy servers too (nslookup proxy2, 3, etc.). I suspect the proxy servers are load balanced. You connect to proxy1 and it hands you off to 2, 3, etc. using something like BigIP (so it's transparent to you). But, the vms servers seem to be different. I've noticed that I've connected directly to vms2, 3 etc. Especially when it's an incoming call.
I've also noticed some regions have servers named {ip-address}.{city-name}.talk4free.com.
I don't know if that was a temporary naming convention while MJ upgraded hardware, or intended to throw off its customers who try to improve their service by blocking servers.
Mark |
|
Back to top |
|
|
TomMonger MagicJack Newbie
Joined: 01 Feb 2009 Posts: 6
|
Posted: Sat Feb 28, 2009 12:02 am Post subject: |
|
|
Last night, it worked. Tonight, no go. After I'd dial a number, I'd get an immediate dial tone.
So... I listed all the Proxy1, Proxy2... and VMS1, VMS2... servers in my batch file, and rem'd out the ones I wanted to allow. No luck either.
So, now I'm back to my echo'ing MJ whenever I call certain people.
-T. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|