ip_conntrack_irc not working
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I ran into problems using IRC connection tracking (iptables v1.2.6a) on
debian woody, debian kernel 2.4.18-13.
ip_conntrack_irc support is built into kernel (CONFIG_IP_NF_IRC=y,
CONFIG_IP_NF_NAT_IRC=y)
It seems that DCC connections are dropped without being handled by a
default RELATED rule.
I found similar postings [1] on the web, unfortunately all unsolved.
I tried to a establish a DCC (GET) connection on clients behind the
router running iptables and on the router itself.
I also tried to apply debian's irc-connection-tracking kernel patch. No
differences...
Funnily enough [2] says that "iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j REJECT" allows all DCCs through. :)
I read somewhere that ftp-connection-tracking in conjunction with
irc-connection-tracking do not work.
Is that true?
btw: ftp passv connections function nicely.
Any help is greatly appreciated!
Regards,
Florian
My iptables sript partially looks like:
#
# Some variables
#
IPTABLES=`which iptables`
p_high="1024:65535"
d_IRC="ircd" # 6667
EXT="ppp0"
INT="eth0"
#
# Outgoing packets on established connections
#
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED \
- -j ACCEPT
#
# Incoming packets on enstablished connections
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED \
- -j ACCEPT
#
# Allow router itself to establish connections to IRC daemons
#
$IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP \
- --sport $p_high -m multiport --destination-ports $d_IRC -j ACCEPT
#
# Allow clients to establish connections to IRC daemons
#
$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state NEW -p TCP \
- --sport $p_high -m multiport --destination-ports $d_IRC -j ACCEPT
# End of script
[1]
http://lists.netfilter.org/pipermail/netfilter/2002-April/050852.html
http://lists.netfilter.org/pipermail/netfilter/2002-August/037502.html
http://lists.debian.org/debian-user/2002/debian-user-200211/msg02958.html
[2]
/usr/share/doc/kernel-patch-irc/README.Debian
- --
Public PGP key is available on common key servers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQE/uQRvwT2gPfZm6tURAi9IAJ98SduvNyp/CP9fpbIdc0ol7LCrmACeM4Wh
3czoLJDV03j8u5atKpVaXfA=
=32vb
-----END PGP SIGNATURE-----
Reply to: