Port 113 forwarding

Hi,
I have a linux gateway that is 192.168.1.1 and a network pc connecting
to the internet through this gateway. My gateway is working fine, and
I can connect to the net through it from this pc. My problem is I
can't get identd to work properly. It works fine from the gateway
machine, but it won't work when I connect to IRC from this pc. I'm
running iptables and have tried the following:

iptables -t nat -A PREROUTING -p tcp -d 203.221.160.171 --dport 113 -j
DNAT --to-destination 192.168.1.1-192.168.1.10

This is making no difference. I'm a software guy and don't have much
experience in this stuff. Any help is much appreciated.

Cheers,
Chris.

(E-Mail Removed) (Chris H) said:
>I have a linux gateway that is 192.168.1.1 and a network pc connecting
>to the internet through this gateway. My gateway is working fine, and
>I can connect to the net through it from this pc. My problem is I
>can't get identd to work properly.

Yup.. the problem is (AFAIK) that ident packets contain IP addresses
(of the client machines) within the data -- and as those IP addresses
don't match the address of the machine responding to the ident query
(your gateway), the server requesting ident considers the reply invalid.

For possible resolutions, see:
http://www.linuxforum.com/linux-ip-m...ade/ident.html
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

> I have a linux gateway that is 192.168.1.1 and a network pc connecting
> to the internet through this gateway. My gateway is working fine, and
> I can connect to the net through it from this pc. My problem is I
> can't get identd to work properly. It works fine from the gateway
> machine, but it won't work when I connect to IRC from this pc. I'm
> running iptables and have tried the following:
>
> iptables -t nat -A PREROUTING -p tcp -d 203.221.160.171 --dport 113 -j
> DNAT --to-destination 192.168.1.1-192.168.1.10
>
> This is making no difference. I'm a software guy and don't have much
> experience in this stuff. Any help is much appreciated.

The solution I found to this problem is not to run identd at all, but just
to REJECT, rather than DROP, all inbound requests on 113/TCP at the
firewall. My rule is

iptables -p tcp --sport $UNPRIVPORTS --dport 113 \
-j REJECT --reject-with tcp-reset

What seems to happen is that IRC servers (or at least, the ones I've tried)
try to connect to your identd, and if they don't get a response at all
(i.e. you DROP their incoming requests), they'll wait around forever
without completing your connection. But you don't really need to be
running identd; you just need to REJECT their request so they know you're
not running it.

Once I made this change I was finally able to connect to IRC.
Good luck,
Andrew.

--
To reply by email, replace "deadspam.com" by "alumni.utexas.net"

Andrew Schulman <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> > I have a linux gateway that is 192.168.1.1 and a network pc connecting
> > to the internet through this gateway. My gateway is working fine, and
> > I can connect to the net through it from this pc. My problem is I
> > can't get identd to work properly. It works fine from the gateway
> > machine, but it won't work when I connect to IRC from this pc. I'm
> > running iptables and have tried the following:
> >
> > iptables -t nat -A PREROUTING -p tcp -d 203.221.160.171 --dport 113 -j
> > DNAT --to-destination 192.168.1.1-192.168.1.10
> >
> > This is making no difference. I'm a software guy and don't have much
> > experience in this stuff. Any help is much appreciated.
>
> The solution I found to this problem is not to run identd at all, but just
> to REJECT, rather than DROP, all inbound requests on 113/TCP at the
> firewall. My rule is
>
> iptables -p tcp --sport $UNPRIVPORTS --dport 113 \
> -j REJECT --reject-with tcp-reset
>
> What seems to happen is that IRC servers (or at least, the ones I've tried)
> try to connect to your identd, and if they don't get a response at all
> (i.e. you DROP their incoming requests), they'll wait around forever
> without completing your connection. But you don't really need to be
> running identd; you just need to REJECT their request so they know you're
> not running it.
>
> Once I made this change I was finally able to connect to IRC.
> Good luck,
> Andrew.

I can connect to IRC fine, I just wish identd would work so I can join
channels I need to join. Thx for the feedback.