Iptable NAT issues and DCC

Kristijan · 12-20-2003, 01:20 AM

Hi,

I am having trouble sending files through irc, accepthing them is fine.

My iptable rules.

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe iptable_nat
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A INPUT -i ppp0 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 1030 -j ACCEPT
iptables -A INPUT -p tcp --dport 1031 -j ACCEPT
iptables -A INPUT -p tcp --dport 1032 -j ACCEPT
iptables -A INPUT -p tcp --dport 1033 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ppp0 -j DROP
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o ppp0 -p tcp -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -p icmp -m state --state NEW -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p tcp -m state --state RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -p icmp -m state --state ESTABLISHED,RELATED

I have opened up ports 1030 - 1033 for receiving DCC.

<irc-user> -:- DCC GET ("testing.txt") request from Kristijan[m33p@203.173.60.23419
<irc-user> [192.168.0.2:1030]] 16 bytes

The irc-user seems to see my internal ip address other then my ppp0

Is their something wrong with my iptables or is their an option in X-Chat that I am not seeing.

Regards and thanks in advance
Kristijan

g-rod · 12-20-2003, 02:41 PM

I suggest that you append a log entry to the forward rule and the try the connection again. Check /var/log/message for what traffic is being droped and add those ports to you forward rules. The remove the log entry. You can drive yourself crazy blindly configuring iptables.

I notice you have a bunch of input rules. Those only apply to connections being made directly to the server. Is that what you want?
Are you try to do IRC directly from this box of is this box a firewall that you are trying to IRC through?

Kristijan · 12-20-2003, 06:32 PM

Yes g-rod, the only connections I want made to the server are 1030 - 1033 which I am using for DCC. Along with 22 which I am using for ssh, everything else is droped unless already established.

How would I go about apending a log entry to my forward rule?

g-rod · 12-20-2003, 06:59 PM

O' by the way your script looks right to me but there must be something missing.

I had assumed that this box being used as a firewall and the clients inside the network were not able to IRC out.

iptables -A FORWARD -j LOG --log-prefix 'FORWARD-DROP';

Then in a terminal window
tail /var/log/messages | grep FORWARD-DROP
The try to connect via IRC.

Kristijan · 01-06-2004, 07:27 PM

Sorry I left this for so long, just didn't cross my mind to check back.

I can connect to IRC fine, that not a problem, it's just I cannot send DCC, I can receive, just not send.

<irc-user> -:- DCC GET ("testing.txt") request from Kristijan[m33p@203.173.60.23419
<irc-user> [192.168.0.2:1030]] 16 bytes

The irc-user seems to see my internal ip address other then my external address. I take it that it's a NAT issue, just not sure on how to fix it. My rules are still the same as they where in post#1

I removed all the forward rules though, they seemd to lag my web browsing for some reason.

EDIT: A friend was just telling me that there is a DCC NAT kernel module that might be usefull in this type of problem, anyone had any expeirence with that?

g-rod · 01-06-2004, 07:36 PM

You need to to add the irc stateful packet inspection module.
modprobe ip_nat_irc.o;

Kristijan · 01-06-2004, 07:47 PM

Ok, I've done that, I there anything else that need's to be done for it to work?

Both ip_nat_irc.o and ip_conntrack_irc.o have in insmod'd

g-rod · 01-07-2004, 07:21 AM

Yes you need to modprobe ip_conntrack_irc.o; also.

Kristijan · 01-07-2004, 08:28 PM

Yep, they have both been modprobed yet I still can seem to DCC =/

g-rod · 01-08-2004, 07:12 AM

Is the translation issue still a problem or is that resolved and you are sill not connecting.

You might want to check out
http://lists.debian.org/debian-firew.../msg00032.html
This a quote from the end of that link
"IMHO DCC uses random unprivports, so you have to enable all ports
between 1025 and 65535 for the target ip address. (which is quite
unsecure, so use it with care)"

iptables -I FORWARD -p TCP --dport 1025:65535 -j ACCEPT;
iptables -I FORWARD -p UDP --dport 1025:65535 -j ACCEPT;
iptables -A FORWARD -j LOG --log-prefix "forward";

Run
tail -f /var/log/message;
in on terminal and try to connect in another. That way you can see if FORWARD change is dropping any packets.