On Tue, 21 May 2002, a2k wrote: > I have 2 lans (LAN1, LAN2) connected thru the Internet via a Free/Swan > VPN on to gateways (GW1, GW2) with strictly *SYMETRIC* firewalling rules > (and exactly same software, kernel 2.4.18 - iptables 1.2.6a). > > We decided to add a irc server, and I put it on LAN1:BOX1, listenning on > a standard 6667 port. > > I added a rule to let the new service accessible from LAN2 > on the 2 gateways, ie : > > GW2 : > <snip> > iptables -A FORWARD -i eth-lan2 -o ipsec0 -p tcp -s LAN2 -d LAN1:BOX1 -m > state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -i eth-lan2 -o ipsec0 -p tcp -s LAN2 -d LAN1:BOX1 > --dport 6667 -m state --state NEW -j ACCEPT > iptables .... > </snip> > > GW1 : > <snip> > iptables -A FORWARD -i ipsec0 -o eth0-lan1 -p tcp -s LAN2 -d LAN1:BOX1 > -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -i ipsec0 -o eth0-lan1 -p tcp -s LAN2 -d LAN1:BOX1 > --dport 6667 -m state --state NEW -j ACCEPT > iptables .... > </snip> > > If I do a /dcc send on LAN1:BOXB (tcp connection initiated by LAN2:BOXC, > I have a "Connection Refused" on LAN2:BOXC (SYN packet dropped by GW2, > visible in logs). > > If I do a /dcc send on LAN2:BOXC (tcp connection initiated by > LAN1:BOXB), the file is successfully sent
Look at the lines where you accept ESTALISHED,RELATED packets: you restricted the possible directions, therefore the configuration is not symmetric and consequently one of the DCCs fails. Regards, Jozsef - E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED] WWW-Home: http://www.kfki.hu/~kadlec Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
