ip_conntrack_irc not working

To: debian-firewall@lists.debian.org
Subject: ip_conntrack_irc not working
From: Florian Boelstler <euphoria@web.de>
Date: Mon, 17 Nov 2003 18:25:03 +0100
Message-id: <[🔎] 3FB9046F.1040903@web.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I ran into problems using IRC connection tracking (iptables v1.2.6a) on
debian woody, debian kernel 2.4.18-13.
ip_conntrack_irc support is built into kernel (CONFIG_IP_NF_IRC=y,
CONFIG_IP_NF_NAT_IRC=y)

It seems that DCC connections are dropped without being handled by a
default RELATED rule.
I found similar postings [1] on the web, unfortunately all unsolved.

I tried to a establish a DCC (GET) connection on clients behind the
router running iptables and on the router itself.

I also tried to apply debian's irc-connection-tracking kernel patch. No
differences...
Funnily enough [2] says that "iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j REJECT" allows all DCCs through. :)

I read somewhere that ftp-connection-tracking in conjunction with
irc-connection-tracking do not work.
Is that true?
btw: ftp passv connections function nicely.

Any help is greatly appreciated!

Regards,

   Florian


My iptables sript partially looks like:

#
# Some variables
#

IPTABLES=`which iptables`

p_high="1024:65535"
d_IRC="ircd"			# 6667

EXT="ppp0"
INT="eth0"


#
# Outgoing packets on established connections
#

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED \
- -j ACCEPT


#
# Incoming packets on enstablished connections
#

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED \
- -j ACCEPT


#
# Allow router itself to establish connections to IRC daemons
#

$IPTABLES -A OUTPUT -o $EXT -m state --state NEW -p TCP \
- --sport $p_high -m multiport --destination-ports $d_IRC -j ACCEPT


#
# Allow clients to establish connections to IRC daemons
#

$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state NEW -p TCP \
- --sport $p_high -m multiport --destination-ports $d_IRC -j ACCEPT


# End of script





[1]
http://lists.netfilter.org/pipermail/netfilter/2002-April/050852.html
http://lists.netfilter.org/pipermail/netfilter/2002-August/037502.html
http://lists.debian.org/debian-user/2002/debian-user-200211/msg02958.html

[2]
/usr/share/doc/kernel-patch-irc/README.Debian



- --
Public PGP key is available on common key servers.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE/uQRvwT2gPfZm6tURAi9IAJ98SduvNyp/CP9fpbIdc0ol7LCrmACeM4Wh
3czoLJDV03j8u5atKpVaXfA=
=32vb
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: fwmark / routing (again) ...
Next by Date: Multiple T1's and debian router/firewall
Previous by thread: fwmark / routing (again) ...
Next by thread: Multiple T1's and debian router/firewall
Index(es):
- Date
- Thread