Hello everyone. I recently built a firewall for a friend of mine on Potato, to do NAT for his home network. Everything went well, except for IRC connection tracking. I'm attempting to enable DCC sends from behind the firewall without DNATing every high port to his internal computer ;-). I haven't been able to find much in the way of documentation for the irc_conntrack setup, so I've been pretty much poking around in the dark, and banging my shins a lot.
Here is the requisite ASCII art diagram of his network: -------------------- ---------------- -------------------- | Big Bad Internet |------| NAT/Firewall |-------| Internal Machine | -------------------- ---------------- -------------------- The irc_conntrack code is compiled straight into the kernel, and I got it from the iptables patch-o-matic. (I compiled my own iptables.) Here is the actual error that gets echoed to the consol when a DCC send is initiated: (Are those IP addresses supposed to be reversed like that?) Forged DCC command from 2.0.0.10: 11.227.59.142:2049 debian:~# tail /var/log/syslog -n 2 Aug 7 02:15:13 debian kernel: Forged DCC command from 2.0.0.10: 11.227.59.142:2301 Aug 7 02:21:34 debian kernel: Forged DCC command from 2.0.0.10: 11.227.59.142:2049 Other misc. info follows: debian:~# uname -a Linux debian 2.4.7 #3 Tue Aug 7 00:28:17 MDT 2001 i586 unknown debian:~# iptables ! -V Not 1.2.2 ;-) debian:~# cat /proc/net/ip_conntrack tcp 6 431996 ESTABLISHED src=142.59.227.11 dst=161.184.221.13 sport=1024 dport=22 src=161.184.221.13 dst=142.59.227.11 sport=22 dport=1024 [ASSURED] use=1 udp 17 11 src=10.0.0.2 dst=10.0.0.255 sport=137 dport=137 [UNREPLIED] src=10.0.0.255 dst=10.0.0.2 sport=137 dport=137 use=1 tcp 6 431995 ESTABLISHED src=10.0.0.2 dst=208.185.43.194 sport=4818 dport=6667 src=208.185.43.194 dst=142.59.227.11 sport=6667 dport=4818 [ASSURED] use=1 debian:/usr/src/linux# tcpdump -i eth1 -n | grep 161.184.221 | grep -v 161.184.221.13.22 eth1: Promiscuous mode enabled. device eth1 entered promiscuous mode tcpdump: listening on eth1 02:15:14.335774 161.184.221.13.4100 > 142.59.227.11.2301: S 855773582:855773582(0) win 5840 <mss 1460,sackOK,timestamp 18181605 0,nop,wscale 0> (DF) 02:15:14.336116 142.59.227.11.2301 > 161.184.221.13.4100: R 0:0(0) ack 855773583 win 0 (DF) debian:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination debian:~# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:ftp to:10.0.0.2 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- anywhere anywhere to:142.59.227.11 Chain OUTPUT (policy ACCEPT) target prot opt source destination Any pointers or tips (or solutions ;-) that anyone might have would be greatly appreciated. -- ---------------------------------------- Jordan R. Urie Unix Administrator SilverLAN Hosting Inc. Tel: (780) 707-6520 Fax: (780) 443-6520 [EMAIL PROTECTED] www.silverlan.net ----------------------------------------
