Hello,

I have a linux firewall running Mandrake Linux 8.1 (Vitamin) which has been updated to the 2.4.8-34.1mdk kernel.

I am attempting to use the DirectConnect(DC) program made by NeoModus from a windows machine behind the firewall.

My problem:
For some reason the firewall will lock up after an unspecified amount of time....Some times it locks up in 5 minutes and other time 15 hours....I do not see these problems except when DC is running.
I have seen some hint of this problem when using Morpheus, a similiar file sharing program...

I originally was running DC is passive mode since I had not opened any ports on the firewall. After the lock up I enabled port forwarding and now run DC in active mode....The mode change did not have any affect on the lock ups.......Everything seems to work properly until the lock up.....

After the machine locks up...You must do a hard reset on the firewall...The ability to log in on the console is even lost....

Does anybody have any ideas of what may be going on...I am also open for any ideas on how to track this type of problem........


Thanks,
kill4u666

Hi,

I want to know how you get DC to work in active mode? I tried several times but it never worked....

thanks....

Hi,

Hopefully someone can help me here, my skills with ipchains are pretty limited and i've yet to make the move to iptables (just upgraded from a 6.2 kernel recently).

I've tried a number of times now to get Neo-Modus DirectConnect to work in active mode on a networked windoze box behind my RH 7.1 box using PMFirewall (ipchains) as a base for rules. I am also running Portsentry with the ports mentioned below removed from the listen list in the config file.

forward and REDIRECT 'ing TCP and UDP ports 412 (DC's recommended ports) does not seem to work. I've tried disabling the firewall (masq only) without any success as well as shutting down portsentry.

I can connect to DC hubs but when I attempt to search for files no results are produced and my linux box is logging kernel messages denying connection attempts on eth0 (outer network) on port 412. Even though "ipchains -L" lists:

ACCEPT tcp ------ "external IP address" anywhere any -> 412
ACCEPT udp ------ "external IP address" anywhere any -> 412


any help much appreciated.

thank you.

Hi

Can you please explain how you got DC working in active mode from behind the firewall? How did you actually enable the portforwarding in the firewall (i tried doing a simple portforwarding on the http port to an internal machine but it doesnt work... any special kernel parameters?)

In regards to the lockup I found that it happened to me if the kernel buffer filled up. So that meant I had to do a hard reboot on the firewall machine.. This happens if you have anyrules that actually logs the packets to the system buffer...

Ta
Spany

What is your firewall script. You may have to accept packets from certain ports to make it work. I have an extensive firewall script (using iptables) and have successfully gotten an ftp server to work behind it. I would expect that you would have to do some of the same things.

Hi

Do you mind if I take a look at your firewall script. I am really lost on ideas here actually. I understand the rules, but am not too great at writing my own rules.

Spany

Hi

Oh and btw, I am using a P133 with 48 MB of ram with RH 7.2 and Kernel 2.4.17 as my firewall router.

Ta
Spany

Just e-mail me at bbenz3@hotmail.com b/c the script is a little on the long side.


what a boring 100th post!

he he... i actually export my display to a windows machine and manage my router remotely... wouldnt feel happy about spending a super-machine one linux.. would be an overkill...

ta
Spany

well . . . My linux router sits in a closet with a 5 dollar monochrome monitor. The monitor is just to verify every once in a while that something is working. I use ssh from remote on either this linux box or one of my windows machines to admin the router.

kill4u666: I think it is necessary to see your firewall script/rules in order to assess the problem. I have run a similar configuration with no problems. As for the people who want to know how to get DC to work behind a firewall or on a NAT'd network, I'll tell you how I accomplished this. In this example the Winbl0ze box has a private ip address of 192.168.0.2.

1) Direct Connect Configuration

Go to --> Settings --> Connection --> Advanced Networking Options

Select Active mode...duh

Where it says Force Direct Connect to report connections on this port...choose a port that you like...we'll use 666 in this example in honor of kill4u666, the owner of this thread.

Where it says Force Direct Connect to report this ip...put the GLOBAL ip address of the machine that is your router/firewall/NAT machine.

Part 1 is now done...unless I've forgotten something

2) Iptables configuration

On the Linux firewall/NAT box map port 666 for udp and tcp connections to the Winbloze dc box.

iptables -t nat -A PREROUTING -p tcp --dport 666 -i eth0 -j DNAT --to 192.168.0.2

iptables -t nat -A PREROUTING -p udp --dport 666 -i eth0 -j DNAT --to 192.168.0.2

*Here is how to do a range of ports if you want to run more than one client.

iptables -t nat -A PREROUTING -p tcp --dport 666:777 -i eth0 -j DNAT --to 192.168.0.2:666-777

iptables -t nat -A PREROUTING -p udp --dport 666:777 -i eth0 -j DNAT --to 192.168.0.2:666-777

Anyhoo, hope this helps.

I think I figured out why port forwarding isn't working for me.

When I upgraded from a 2.2 to a 2.4 kernel (using up2date..oops) the basic kernel
installed iptables with ipchains support but did not include the ipchains port forwarding support in the kernel config or Makefile.

I tried rebuilding the kernel from source and found no mention of this capability (as far as ipchains is concerned) in the .config or the Makefile, so I am assuming that it is no longer supported or that it has to be added manually.....

So I tried switching to iptables via unloading ipchains and using loaded modules for iptables, but the system didn't seem to like that very much and had a nervous breakdown.


:smash:

got ipchains working again for the time being and now to figure out how to make the switch to iptables

wish me luck

Did you try doing this?

/bin/echo "1" > /proc/sys/net/ipv4/ip_forward


I'm sure you probably tried that already, but I thought I'd mention it anyway. A lot of people upgrade their kernel just so they can have support for iptables...and I have to admit, it does totally kick arse.

Yeah, I've tried that (actually it was already at a value of 1, but I did it anyway).

Thanks anyhow

I allsow wan't to get Direct Connect to work in Active Mode!

I know that it is port 411-414 that I have to activate.
How do I do this?
My computer whit DC has ip 192.168.0.2.

I use iptables. I have Slackware 8.0.

/Ludvig (Sweden)