Re: Debian Sarge IPTables IRC Connection Tracking Issue

To: DrewB <drewb@x509.biz>, debian-firewall@lists.debian.org
Subject: Re: Debian Sarge IPTables IRC Connection Tracking Issue
From: Mike Mestnik <cheako911@yahoo.com>
Date: Sat, 24 Jan 2004 07:47:41 -0800 (PST)
Message-id: <[🔎] 20040124154741.37517.qmail@web11907.mail.yahoo.com>
In-reply-to: <[🔎] E1AkJgB-0006M0-Fp@hudson.vervehosting.com>

--- DrewB <drewb@x509.biz> wrote:
> I have recently built a server which runs a private IRCD, and I would like
> to be able to support DCC connections to the server using the IRC connection
> tracking module. I have built a custom 2.6.1 kernel for the server (using
DCC connections "to" an ircd?  I did not know that there was a client interface to the server,
thought it is posible it's unlikely that this is what you want.

> make-kpkg) and all iptables/netfilter options are statically built into the
> kernel (no modules used). I used Firewall Builder to build the basic
> iptables script. The script generated by Firewall Builder attempts to
> execute the following iptables command in order to implement the IRC
> connection tracking module:
> 
> iptables -A INPUT  -d 208.254.7.36 -m irc  -m state --state NEW  -j ACCEPT
> 
I have to admit I coulden't get this to work my self.  AFAIK the -m irc is not neaded.  What I did
what put ip_nat_irc and the like in /etc/modules.  This caused ipfilter to track masquraded irc
connections and translated DDC requests.  YOU DON'T WANT TO DO THIS ON YOUR SERVER AS ALL DCC
REQUESTS WILL BE NATED TO IT!  I don't know how to controle the state mechine on linux I would use
bsd's netfilter, it's got better support for this.  However linux has a better shaper(tc).

mike

> IPTables complains, however, when it encounters the above the command line.
> The error notice is:
> 
> iptables v1.2.9: Couldn't load match `irc':/lib/iptables/libipt_irc.so:
> cannot open shared object file: No such file or directory
> 
> I am currently using the v1.29 iptables & iptables-dev Debian packages. My
> kernel source includes the file "ip_conntrack_irc.c" and this option is
> enabled in the kernel. Am I looking at two different types of IRC tracking
> between the kernel tracking option versus the above iptables command or is
> IRC connection tracking simply not yet included in the Debian iptables
> packages? Thank you to anyone who might be able to shed some light on what I
> am missing here.
> 
> Respectfully,
> 
> Drew Berendts, CISSP
> 


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

Reply to:

References:
- Debian Sarge IPTables IRC Connection Tracking Issue
  - From: "DrewB" <drewb@x509.biz>

Prev by Date: Debian Sarge IPTables IRC Connection Tracking Issue
Next by Date: confidential matters
Previous by thread: Debian Sarge IPTables IRC Connection Tracking Issue
Next by thread: confidential matters
Index(es):
- Date
- Thread