Hi,
I'm having problems with DCCs in IRC and a masquerading iptables firewall/router. The
setup is as follows:
The Linux box (PII/300 MHz) acts as a DSL router for some W2K machines connected to
the internal network. It has 2 NICs, a 3Com Etherlink III (eth1, ISA) is attached to
the DSL modem and a RTL8139 for the LAN (eth0, private IPs 192.168.76.xxx). For DSL
access, I use rp-pppoe (3.3-1). Current kernel version is 2.4.19-pre2 but I had the
same problem with all other versions that I've tried (2.4.17, 2.4.18, 2.4.19-pre4, all
from kernel.org). At the moment, I'm using iptables 1.2.6a from CVS (03/30/02)
compiled with all "submitted" patches (applied with "make pending-patches"), newnat13
and some others (recent, mport, helper, owner, time) (applied with "make
patch-o-matic").
The linux distribution is Mandrake 8.1 with many upgraded packages.
In IRC, I can send files and start DCC chats; everything else also works fine from the
router itself and the clients (web access, ftp, etc.).
Only incoming DCC connections do not work at all (neither from the linux box or from
the clients). When someone initiates a DCC chat with me or tries to send a file, the
outbound SYN packet is always rejected by the firewall. Apparently, it is not
recognized as related to the IRC connection. I have tried this with BitchX and irssi
under Linux (from the router) and mIRC for Windows (from a client).
Example log entry:
firewall: TCP rejected IN= OUT=ppp0 SRC=<IP_OF_PPP0> DST=<REMOTE> LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=33599 PROTO=TCP SPT=41924 DPT=4459 WINDOW=5808 RES=0x00 SYN URGP=0
The firewall script itself is quite long, that's why I'm not posting it here. Of
course I can e-mail it on request.
Here are some parts of the rules:
# iptables -L INPUT -vn
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -f eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -f ppp0 * 0.0.0.0/0 0.0.0.0/0
502 41980 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
10214 3408K ACCEPT all -- eth0 * 192.168.76.0/24 0.0.0.0/0
887 669K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
...
<some rules>
...
17 916 LnD tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
# iptables -L OUTPUT -vn
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
98 12554 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
692 57725 ACCEPT all -- * eth0 0.0.0.0/0 192.168.76.0/24
6956 279K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
...
<some rules>
...
0 0 ACCEPT tcp -- * ppp0 <IP_OF_PPP0> 0.0.0.0/0 tcp
spts:1024:65535 dpts:6663:6669 state NEW
0 0 ACCEPT tcp -- * ppp0 <IP_OF_PPP0> 0.0.0.0/0 tcp
spts:1024:65535 dpts:7000:7002 state NEW
...
<some more rules>
...
4 240 LnR tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0
# iptables -L FORWARD -vn
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
294 19727 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
state RELATED,ESTABLISHED
...
<some more rules>
12 768 LnR tcp -- eth0 ppp0 0.0.0.0/0 0.0.0.0/0
(LnR = Log and Reject chain, LnD = Log and Drop chain)
The DCC syn packets are caught by the LnR chain at the end.
An incoming DCC send/chat does not produce an EXPECTING entry in
/proc/net/ip_conntrack. There's no difference if I load the IRC modules without port
parameters or with several ports or if I connect to different ports of an IRC server.
After enabling debugging in ip_conntrack_irc and ip_conntrack_core, I get the
following syslog entries for outbound DCCs:
ip_conntrack_irc.c:help:DCC found in master 192.168.76.50:1730 <IRC_SERVER>:6667...
ip_conntrack_irc.c:help:DCC SEND detected
ip_conntrack_irc.c:help:DCC bound ip/port: 192.168.76.50:55252
and similar for DCC chats. Incoming DCCs do not produce any messages at all.
Loading the ip_conntrack_irc module produces (for every IRC server port)
ip_conntrack_irc.c:init:port #0: 6667
ASSERT ip_conntrack_core.c:541 &ip_conntrack_lock not readlocked
Loaded modules:
# lsmod
Module Size Used by
capidrv 24880 2
fcpci 538976 4
capi 17360 6
capifs 3424 1 [capi]
kernelcapi 29680 6 [capidrv fcpci capi]
capiutil 22720 0 [capidrv kernelcapi]
isdn 112448 3 [capidrv]
ip_nat_irc 2704 0 (unused)
ipt_MARK 720 21 (autoclean)
ipt_helper 688 3 (autoclean)
ipt_recent 4816 10 (autoclean)
ipt_state 576 58 (autoclean)
ipt_MASQUERADE 1744 1 (autoclean)
ipt_REJECT 2768 1 (autoclean)
ipt_LOG 3392 20 (autoclean)
ipt_limit 928 17 (autoclean)
iptable_mangle 2064 1 (autoclean)
ip_conntrack_irc 4592 8 [ip_nat_irc]
ip_nat_ftp 3440 0 (unused)
iptable_nat 21072 12 [ip_nat_irc ipt_MASQUERADE ip_nat_ftp]
ip_conntrack_ftp 4144 3 [ip_nat_ftp]
ip_conntrack 27056 14 [ip_nat_irc ipt_helper ipt_state ipt_MASQUERADE
ip_conntrack_irc ip_nat_ftp iptable_nat ip_conntrack_ftp]
iptable_filter 1680 1 (autoclean)
ip_tables 13280 13 [ipt_MARK ipt_helper ipt_recent ipt_state
ipt_MASQUERADE ipt_REJECT ipt_LOG ipt_limit iptable_mangle iptable_nat iptable_filter]
sch_sfq 3536 5 (autoclean)
sch_htb 12528 2 (autoclean)
sd_mod 10784 0 (autoclean) (unused)
n_hdlc 6016 1
ppp_synctty 4624 1
ppp_async 6112 0 (unused)
parport_pc 13328 1 (autoclean)
lp 6240 0 (autoclean)
parport 14176 1 (autoclean) [parport_pc lp]
3c509 7728 1 (autoclean)
8139too 13200 1 (autoclean)
mii 1072 0 (autoclean) [8139too]
ide-scsi 7632 1
md 43968 0 (unused)
ide-cd 26560 0 (autoclean)
cdrom 27584 0 (autoclean) [ide-cd]
rtc 5664 0 (autoclean)
A lot of searching the web and the mailing list archives turned up mostly the "you
have to load the irc helper modules"-type-advice. I can't help thinking that I'm doing
something wrong here, especially since no one else seems to have this problem. If
anyone could point me in the right direction I would appreciate it.
Thanks in advance,
Kyle
----------------------------------------- Info ---------
Registrieren Sie Ihren eigenen Namen im Internet
bevor es jemand anderer tut: .at, .de, .cc, .tv,
> und neue Domain Endungen: .info, .biz, .co.uk,
Domain-Anmeldung: http://www.domainsave.at
---------------------------------------------------------
*** sent through http://www.everymail.net FREE e-mail
