IRC Connection Tracking
Hello everyone.
I recently built a firewall for a friend of mine on Potato, to do NAT for his home
network. Everything went well, except for IRC connection tracking. I'm attempting
to enable DCC sends from behind the firewall without DNATing every high port to his
internal computer ;-). I haven't been able to find much in the way of documentation
for the irc_conntrack setup, so I've been pretty much poking around in the dark, and
banging my shins a lot.
Here is the requisite ASCII art diagram of his network:
-------------------- ---------------- --------------------
| Big Bad Internet |------| NAT/Firewall |-------| Internal Machine |
-------------------- ---------------- --------------------
The irc_conntrack code is compiled straight into the kernel, and I got it from the
iptables patch-o-matic. (I compiled my own iptables.)
Here is the actual error that gets echoed to the consol when a DCC send is initiated:
(Are those IP addresses supposed to be reversed like that?)
Forged DCC command from 2.0.0.10: 11.227.59.142:2049
debian:~# tail /var/log/syslog -n 2
Aug 7 02:15:13 debian kernel: Forged DCC command from 2.0.0.10: 11.227.59.142:2301
Aug 7 02:21:34 debian kernel: Forged DCC command from 2.0.0.10: 11.227.59.142:2049
Other misc. info follows:
debian:~# uname -a
Linux debian 2.4.7 #3 Tue Aug 7 00:28:17 MDT 2001 i586 unknown
debian:~# iptables ! -V
Not 1.2.2 ;-)
debian:~# cat /proc/net/ip_conntrack
tcp 6 431996 ESTABLISHED src=142.59.227.11 dst=161.184.221.13 sport=1024 dport=22 src=161.184.221.13 dst=142.59.227.11 sport=22 dport=1024 [ASSURED] use=1
udp 17 11 src=10.0.0.2 dst=10.0.0.255 sport=137 dport=137 [UNREPLIED] src=10.0.0.255 dst=10.0.0.2 sport=137 dport=137 use=1
tcp 6 431995 ESTABLISHED src=10.0.0.2 dst=208.185.43.194 sport=4818 dport=6667 src=208.185.43.194 dst=142.59.227.11 sport=6667 dport=4818 [ASSURED] use=1
debian:/usr/src/linux# tcpdump -i eth1 -n | grep 161.184.221 | grep -v 161.184.221.13.22
eth1: Promiscuous mode enabled.
device eth1 entered promiscuous mode
tcpdump: listening on eth1
02:15:14.335774 161.184.221.13.4100 > 142.59.227.11.2301: S 855773582:855773582(0) win 5840 <mss 1460,sackOK,timestamp 18181605 0,nop,wscale 0> (DF)
02:15:14.336116 142.59.227.11.2301 > 161.184.221.13.4100: R 0:0(0) ack 855773583 win 0 (DF)
debian:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
debian:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:ftp to:10.0.0.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:142.59.227.11
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Any pointers or tips (or solutions ;-) that anyone might have would be greatly appreciated.
--
----------------------------------------
Jordan R. Urie
Unix Administrator
SilverLAN Hosting Inc.
Tel: (780) 707-6520
Fax: (780) 443-6520
juire@silverlan.net
www.silverlan.net
----------------------------------------
Reply to: