nat/masquerade, connection tracking
ok..here's the story cut short: I have set up a small home network, access the net from my pc through a firewalling machine, and have been unable to use things like irc DCC, instant messaging sends (things the kind of msn, icq etc.) and so on. I have to use masquerading/nat to get the net working on my pc, and mostly it does - the only things that do not work are those file sends I mentioned above (receiving ok)
then I heard about iptables (which I use for firewalling) modules called ip_conntrack_irc and ip_nat_irc that should solve my problem - I modprobed them, restarted my irc client and tried....worked like magic. now what's the problem, you ask - it's that this won't work anymore!
so, I'd like to get an explanation. it's been a week or two when this worked, for one evening. I was running my machines normally, modprobed the modules mentioned above, restarted irc software and DCC send worked...I also think instant messaging sends and so on would have worked. anyway, it worked nicely, until I shut my own pc in the evening..a few days passed as I didn't need my machine, and when I started it up again...no. no dcc send worked, no instant messaging send worked, nothing like that..I double-checked that I had the ip_conntrack_irc and ip_nat_irc modules loaded, normal net worked fine, DCC works and so on (but...Gtk-Gnutella doesn't? I don't use it, but anyway..it won't work. I tested with it.)
so what has happened? I haven't changed my firewall configuration, it's untouched. people do get a message when I try to send them something over some other protocol than http, but when they accept the transfer, it never starts. it's like I wouldn't have the connection tracking working, since my firewall should let "known" connections through..but if the modules are loaded, why wouldn't it work?
thanks for any info..also, if somebody could tell why DC (dcgui-qt) works but Gnutella doesn't, I'd be pleased. not that I'd need them that badly, but it's nice to know :) and this irc/instant messaging stuff...that's what I need, because emails are pure pain when sending a bit bigger files like archives to people I need to send them to because of my work. emails just don't do the thing..
oh, one more thing - if I send something from the firewalling machine itself, and no nat/masquerading is done (right?), everything works perfectly. what killed my working conntrack?
what do you get when you do
somehow big (well..not actually that big) list of my firewall rules..including forwarding and so on. the default policies are set to DROP, and I've checked that NAT works with forwarding (otherwise my internet wouldn't work)...I can post the output here if you wish, but I'm pretty sure it's ok.
the odd thing is, that even if I set up a firewall with default policies set to ACCEPT and the only rules made for forwarding and NAT to work, it still won't help...so is the problem with NAT? but how could it be..if the connection tracking modules are loaded ok?
EDIT: one more thing. I checked this on irc with one of my friends - when I send a file, and my friend gets the notice of it, he _does_ get the ip address that my isp gives to me, and _not_ the internal network address. so this proves, I think, that NAT does work but why don't I still get it ok? could there be a possibility that the address is NATed when I send the question for file send, but when the answer comes back, it isn't translated and sticks to my firewall rather than continuing to my own pc?
|All times are GMT -5. The time now is 09:37 PM.|