Imitheos wrote:
> Hello.
>
> I have a linux firewall with 2.6 kernel and iptables.
> I have read many posts and sites but every post says to enable the
> conntrack/nat modules or to set xchat properly.
>
> I have RELATED connections enabled and while FTP works (both active and
> passive) DCC does not work.
>
> I am posting any firewall rules i think may be relevant.
>
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> echo 20480 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> for i in /proc/sys/net/ipv4/conf/*/; do
>
> echo 1 > $i/rp_filter
> echo 1 > $i/log_martians
> done (Have tried with rp_filter=0 too)
>
> /sbin/modprobe ip_conntrack_ftp ports=21
> /sbin/modprobe ip_conntrack_irc ports=6667,6669,7000
> /sbin/modprobe ip_nat_ftp ports=21
> /sbin/modprobe ip_nat_irc ports=6667,6669,7000
I think you shouldn't put the ports= in the modprobe,
the defaults are correct and maybe the problem is there.
> $IPTABLES -t nat -F
> $IPTABLES -t mangle -F
> $IPTABLES -t filter -F
> $IPTABLES -t nat -X
> $IPTABLES -t mangle -X
> $IPTABLES -t filter -X
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -N fw_tcp
> $IPTABLES -N fw_udp
> $IPTABLES -N fw_icmp
>
> $IPTABLES -A INPUT -i $LO_IF -j ACCEPT
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> (INPUT SERVICES PORTS rules)
>
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> $IPTABLES -A FORWARD -p tcp -j fw_tcp
> $IPTABLES -A FORWARD -p udp -j fw_udp
> $IPTABLES -A FORWARD -p icmp -j fw_icmp
> $IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
> $IPTABLES -A FORWARD -j REJECT
>
> # FTP
> $IPTABLES -A fw_tcp -p tcp --dport 20:21 -j ACCEPT
> $IPTABLES -A fw_tcp -p tcp --dport 6667 -j ACCEPT
> $IPTABLES -A fw_tcp -p tcp --dport 6667 -m state --state RELATED -j ACCEPT
I think this last rule it's not necessary, because the ones with
ESTABLISHED and RELATED are before this and they do the same job.
> $IPTABLES -A fw_tcp -p tcp --dport 6669 -j ACCEPT
> $IPTABLES -A fw_tcp -p tcp --dport 7000 -j ACCEPT
> (OTHER PORTS rules)
>
>
> I don't know why ftp works and dcc doesn't.
> My test machine has 192.168.0.202 ip.
> My nat gw with the above setup has 192.168.0.2 ip.
> As i said i tried all the combinations in X-Chat and i can't make it
> work. The only thing i can get is that with some setups in Xchat i get
> "DCC Forged"
Your script seem right, so you should make logs and see what's
happening. I think the problem it's that Netfilter can't see
the DCC connections as RELATED, maybe because the ports you
specify are not the ones it tries to use.
>
>
> I am sorry for the long post.
> I will wait for your opinion.
>
> Thank you for your time.
--
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
(E-Mail Removed)
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA
The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"
Similar Threads
Linear Mode
