Note : this has already been posted to [EMAIL PROTECTED]
without any answer. Hope you'll help me with this...



Hi,

First I would like to thanks the netfilter core team for their work
since I'm using this project since 2.3.xx and I'm really happy with this.

However, this is the very first time I've got a problem like this - and
unfortunetly I don't have many time to solve the problem myself - maybe
one of you already had and succesfully solved the problem.

Anyway, here we are:

I have 2 lans (LAN1, LAN2) connected thru the Internet via a Free/Swan
VPN on to gateways (GW1, GW2) with strictly *SYMETRIC* firewalling rules
(and exactly same software, kernel 2.4.18 - iptables 1.2.6a).

We decided to add a irc server, and I put it on LAN1:BOX1, listenning on
a standard 6667 port.

I added a rule to let the new service accessible from LAN2
on the 2 gateways, ie :

GW2 :
<snip>
iptables -A FORWARD -i eth-lan2 -o ipsec0 -p tcp -s LAN2 -d LAN1:BOX1 -m
state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth-lan2 -o ipsec0 -p tcp -s LAN2 -d LAN1:BOX1
--dport 6667 -m state --state NEW -j ACCEPT
iptables ....
</snip>

GW1 :
<snip>
iptables -A FORWARD -i ipsec0 -o eth0-lan1 -p tcp -s LAN2 -d LAN1:BOX1
-m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ipsec0 -o eth0-lan1 -p tcp -s LAN2 -d LAN1:BOX1
--dport 6667 -m state --state NEW -j ACCEPT
iptables ....
</snip>


This setup works fine for standard chat.
Let me try a /DCC send command.

I run 2 bitchx clients, one on LAN1:BOXB, the other one on LAN2:BOXC

If I do a /dcc send on LAN1:BOXB (tcp connection initiated by LAN2:BOXC,
I have a "Connection Refused" on LAN2:BOXC (SYN packet dropped by GW2,
visible in logs).

If I do a /dcc send on LAN2:BOXC (tcp connection initiated by
LAN1:BOXB),  the file is successfully sent


I think the problem is due to the fact that the box LAN1:BOXB is on the
same network than LAN1:BOX1, which means that GW1 (and GW2) won't see
the /DCC command issued by LAN1:BOX1.

To solve that, I had the following idea : just add a DMZ DMZ1 connected
to GW1 and put the ircd on it. It will probably makes GW1 see the /DCC,
but never GW2! GW2 will still disallow the packet.

Am I wrong? Any clue?
NB that I absolutly don't know how DCC is working!

Any help would be *greatly* appreciated!

Cheers,

a2k



Reply via email to