On Thu, Dec 19, 2002 at 04:17:08AM -0800, Paul Johnson wrote:
| On Thu, Dec 19, 2002 at 04:58:53PM +1100, Rob Weir wrote:
| > Yes, there is. iptables has modules for ftp (to support non-passive
| > mode) and irc (to support dcc, etc). They're called
| > ipt_{conntrack,nat}_{irc,ftp}, IIRC.
|
| Does this work automagically once inserted, or is there some trick
| to iptables to prod it into service? I suspect the latter is true,
| as I've tried it with just inserting the modules and it didn't work
| as expected.
You need to allow RELATED connections.
# near the beginning of your INPUT chain
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Hmm, I guess you would have to add that to the nat table as well if
you want natted dcc connections to function. I know the above rule
works if the firewall is on the same machine as the irc client and
that machine has a public (non-NATted) IP.
| > There're no ICQ modules, because
| > a) stateful firewalling mostly obviates the need for this, and b) the
| > NetFilter folks have a policy that they won't write or support modules
| > for protocols that don't have at least one working Free client and
| > server.
|
| Someone should go tell the netfilter folks about the jabber icq server
| and the licq client sometime.
The Jabber server isn't an ICQ server. It has a transport which
behaves as an ICQ _client_. The end result is that your jabber client
doubles as an ICQ client but without the client even knowing it.
I've also heard that the ICQ protocol is really nasty and no one
wanted to bother trying to port the connection tracking from ipchains
to iptables.
-D
--
There are six things the Lord hates,
seven that are detestable to him :
haughty eyes,
a lying tongue,
hands that shed innocent blood,
a heart that devises wicked schemes,
feet that are quick to rush into evil,
a false witness who pours out lies
and a man who stirs up dissension among brothers.
Proverbs 6:16-19
http://dman.ddts.net/~dman/
Attachment:
pgprLplB7c0Jr.pgp
Description: PGP signature