Wojtek M. <(E-Mail Removed)> wrote:
> Hello
>
> My network look like:
> Internet-Firewall-Firewall-LAN
> Default rules is DROP and next I allow some services for
> example SSH:
You want to put --syn in there as well if you're using --state. The
--state rule should go very near the top of the firewall, for
performance reasons mainly.
> $IPTABLES -A FORWARD -p tcp --dport 22 -s $LAN_IP_RANGE \
> -i $LAN_IFACE -j ACCEPT
> ....
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> On the both firewalls are the same rules and works OK, means SSH and
> another services works good.
>
> But now I want to allow connect with/to Direct Connect (port 411)
> I wrote the same rules. I can connect to hub, but transfer of files are not
> possible ("connection time out" - sad DC client).
> Similarly is with other p2p programs - didn't works.
Are these routers doing NAT?
Try running tcpdump on the firewalls and seeing what the clients are
trying to do.
From what you have written, it would seem that you can run in passive
mode, but not active mode. This means that you need to allow connections
(probably to port 411, tcpdump will tell you what's really happening),
to the client from the internet.
> ps. When in network was one Firewall:
> Inetnet-Firewall-LAN, p2p programs works good.
Make sure these connections can make it through both firewalls. If
you're using NAT, don't forget you need to use port-forwarding. (DNAT)
--
Cameron Kerr
(E-Mail Removed) :
http://nzgeeks.org/cameron/
Empowered by Perl!
Similar Threads
Linear Mode
