Note : this has already been posted to [EMAIL PROTECTED] without any answer. Hope you'll help me with this...
Hi, First I would like to thanks the netfilter core team for their work since I'm using this project since 2.3.xx and I'm really happy with this. However, this is the very first time I've got a problem like this - and unfortunetly I don't have many time to solve the problem myself - maybe one of you already had and succesfully solved the problem. Anyway, here we are: I have 2 lans (LAN1, LAN2) connected thru the Internet via a Free/Swan VPN on to gateways (GW1, GW2) with strictly *SYMETRIC* firewalling rules (and exactly same software, kernel 2.4.18 - iptables 1.2.6a). We decided to add a irc server, and I put it on LAN1:BOX1, listenning on a standard 6667 port. I added a rule to let the new service accessible from LAN2 on the 2 gateways, ie : GW2 : <snip> iptables -A FORWARD -i eth-lan2 -o ipsec0 -p tcp -s LAN2 -d LAN1:BOX1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth-lan2 -o ipsec0 -p tcp -s LAN2 -d LAN1:BOX1 --dport 6667 -m state --state NEW -j ACCEPT iptables .... </snip> GW1 : <snip> iptables -A FORWARD -i ipsec0 -o eth0-lan1 -p tcp -s LAN2 -d LAN1:BOX1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i ipsec0 -o eth0-lan1 -p tcp -s LAN2 -d LAN1:BOX1 --dport 6667 -m state --state NEW -j ACCEPT iptables .... </snip> This setup works fine for standard chat. Let me try a /DCC send command. I run 2 bitchx clients, one on LAN1:BOXB, the other one on LAN2:BOXC If I do a /dcc send on LAN1:BOXB (tcp connection initiated by LAN2:BOXC, I have a "Connection Refused" on LAN2:BOXC (SYN packet dropped by GW2, visible in logs). If I do a /dcc send on LAN2:BOXC (tcp connection initiated by LAN1:BOXB), the file is successfully sent I think the problem is due to the fact that the box LAN1:BOXB is on the same network than LAN1:BOX1, which means that GW1 (and GW2) won't see the /DCC command issued by LAN1:BOX1. To solve that, I had the following idea : just add a DMZ DMZ1 connected to GW1 and put the ircd on it. It will probably makes GW1 see the /DCC, but never GW2! GW2 will still disallow the packet. Am I wrong? Any clue? NB that I absolutly don't know how DCC is working! Any help would be *greatly* appreciated! Cheers, a2k
