Re: irc

Re: irc

[trainier]

Okay, here's the revised copy of my situation, with ip addresses:

Client machine (192.168.1.162) ->  (192.168.1.7)  squid-proxy 
(208.224.3.156)  ->  DMZ  (208.224.3.153) ->  (irc.blessed.net)  IRC Server.

I don't know what "IT" is.  That is what I need to find out (packet 
sniffer?).  I'm assuming it's the irc server.

I know how to set nat up in this situation.  I know it's what I need, but 
am not sure how to do it.





Antony Stone <Antony@Soft-Solutions.co.uk>
Sent by: netfilter-admin@lists.netfilter.org
11/17/2003 01:11 PM

 
        To:     netfilter@lists.netfilter.org
        cc: 
        Subject:        Re: irc


On Monday 17 November 2003 5:43 pm, trainier@kalsec.com wrote:

> I'll attempt to clear things up a bit.
>
> An irc proxy, is a machine that accepts a connection, then forwards you 
on
> to the proxy server.  An irc bounce, is very similiar in nature.

Ah, so there is a difference between an IRC proxy and an IRC server?   (I 
didn't know - I'm not familiar enough with the IRC protocol).

> What I'm looking for, is not an irc proxy.  I'm already connecting to an
> irc proxy.  The problem is, when I changed my default gateway to point 
at
> my http-proxy, I can no longer make connections out to my irc server.

That sort of makes sense.   Does your http proxy know how to forward 
non-http 
traffic (so the traffic can get to the IRC proxy, for example), and is it 
correctly forwarding such traffic?

> (It comes back with a "connection refused").

I'm puzzled about what "it" is in this sentence.   Which machine sends 
back a 
packet to your IRC client indicating that there's a problem?

> I thought I would have to use NAT in this case, just like I have to use 
NAT
> to allow http and ftp requests, through the squid proxy server.

Whether or not you need to use NAT depends on where your public & private 
IP 
addresses meet.   If the squid proxy is also your router joining the 
public 
to the private network, then yes, you will need NAT rules in order to get 
any 
non-http traffic through it.   If the 'other side' of your squid proxy is 
still privately addressed within your own network, and your public IP 
address 
router is somewhere beyond it, then you don't need to do NAT on the squid 
proxy, just normal routing table entries (and the machines on the other 
side 
need to know that this is a gateway back to the addresses on the inside of 
it 
of course).

> Here's how I'm set up:
>
> Client machine ->   squid-proxy   ->  DMZ  ->  IRC Server.

If you can add some IP addresses / network ranges to that diagram, and 
maybe 
include your Internet router in there as well, it would be helpful

Please note that I have chosen the sig below specifically for this email 
:)

Regards,

Antony.

-- 

90% of network problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the 
list;
                                                           please don't CC 
me.

Re: irc

[Antony Stone]

On Monday 17 November 2003 6:42 pm, trainier@kalsec.com wrote:

> Okay, here's the revised copy of my situation, with ip addresses:
>
> Client machine (192.168.1.162) ->  (192.168.1.7)  squid-proxy
> (208.224.3.156)  ->  DMZ  (208.224.3.153) ->  (irc.blessed.net)  IRC
> Server.

Right.   This looks to me like the squid proxy is also your router between 
the LAN and the Internet, therefore it needs standard NAT and FORWARDing 
rules to allow non-http traffic as well as the REDIRECT rule for diverting 
your http traffic to squid itself.

eg:

iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT
(if you're using an internal DNS server, add another rule like the one above 
but for TCP traffic on port 53 as well)
iptables -A FORWARD -i eth1 -p tcp --dport 6667 -j ACCEPT
(the above rules assume eth1 is your internal interface - change if needed)
iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to 208.224.3.156
(the above rule assumes eth0 is your external interface - change if needed)

And, of course, make sure the box is forwarding packets:

echo 1 >/proc/sys/net/ipv4/ip_forward

If that doesn't do the trick start adding some LOGging lines above and/or 
below these rules and find out what traffic I've missed.

Regards,

Antony.

-- 

Windows: just another pane in the glass.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: irc

[Alistair Tonner]

On November 17, 2003 02:29 pm, Antony Stone wrote:
> On Monday 17 November 2003 6:42 pm, trainier@kalsec.com wrote:
> > Okay, here's the revised copy of my situation, with ip addresses:
> >
> > Client machine (192.168.1.162) ->  (192.168.1.7)  squid-proxy
> > (208.224.3.156)  ->  DMZ  (208.224.3.153) ->  (irc.blessed.net)  IRC
> > Server.
>
> Right.   This looks to me like the squid proxy is also your router between
> the LAN and the Internet, therefore it needs standard NAT and FORWARDing
> rules to allow non-http traffic as well as the REDIRECT rule for diverting
> your http traffic to squid itself.
>
> eg:
>
> iptables -P FORWARD DROP
> iptables -F FORWARD
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth1 -p udp --dport 53 -j ACCEPT
> (if you're using an internal DNS server, add another rule like the one
> above but for TCP traffic on port 53 as well)
> iptables -A FORWARD -i eth1 -p tcp --dport 6667 -j ACCEPT
> (the above rules assume eth1 is your internal interface - change if needed)
> iptables -A POSTROUTING -t nat -o eth0 -j SNAT --to 208.224.3.156
> (the above rule assumes eth0 is your external interface - change if needed)
>
> And, of course, make sure the box is forwarding packets:
>
> echo 1 >/proc/sys/net/ipv4/ip_forward
>
> If that doesn't do the trick start adding some LOGging lines above and/or
> below these rules and find out what traffic I've missed.
>
> Regards,
>
> Antony.

	If you've several systems that want to connect and do DCC you 
	will want to make sure you load the conntrack and nat irc 
	handlers from iptables ... they aren't needed for plain connections,
	but are for DCC sends/recieves.
	
	You might find that a lot of servers refuse to accept connections
	from the above setup:

	As a rule these days a LOT of irc servers want an identd reply ... 
	identd is a horrible security problem, but you can use several 
	alternatives ... I've a python script that acts as a chrooted identd 
	server -- works a charm replying with random numbers .... 
	(written by someone else ..... not me)
	An NO identifying info ... 
-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: irc

[Antony Stone]

On Monday 17 November 2003 7:56 pm, Alistair Tonner wrote:

> 	If you've several systems that want to connect and do DCC you
> 	will want to make sure you load the conntrack and nat irc
> 	handlers from iptables ... they aren't needed for plain connections,
> 	but are for DCC sends/recieves.

Indeed, however I assumed that anyone interested in the security of having a 
firewall wouldn't be using insecure things like DCC.   However, your reminder 
that there is a conntrack helper for this protocol is a good one.

> 	As a rule these days a LOT of irc servers want an identd reply ...
> 	identd is a horrible security problem, but you can use several
> 	alternatives ... I've a python script that acts as a chrooted identd
> 	server -- works a charm replying with random numbers ....

You mean they actually require an identd response before allowing a 
connection (rather than just making it take a bit longer than usual)?

What's the point in that?   It adds nothing to security, adds very little to 
logging opportunities, and only interferes with people trying to keep their 
networks to themselves.

Ho Hum; it's a strange world on the Internet....

Antony.

-- 

The idea that Bill Gates appeared like a knight in shining armour
to lead all customers out of a mire of technological chaos
neatly ignores the fact that it was he who, by peddling
second-rate technology, led them into it in the first place.

 - Douglas Adams in The Guardian, August 25, 1995
                                                     Please reply to the list;
                                                           please don't CC me.

proxy a dns

[Guillermo]

como puedo configurar que mi proxy squid redireccione las peticiones que le
llegan desde un pc de mi lan.... a un puerto 80 de otro proxy .....para que
pueda llegar a el servidor dns definitivo??

tengo dos proxys...un squid y un wingate que sale directamente a internet...
pero los pcs de mi lan que pasan por el squid no pueden llegar por el puerto
53 al dns.... llegan al wingate y ahi quedan...
necesito que se redireccionen al puerto 80 para ue el squid asuma que es
cualquier pc de la otra lan...


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.541 / Virus Database: 335 - Release Date: 14/11/2003

Re: proxy a dns

[Jeffrey Laramie]

Guillermo wrote:

>como puedo configurar que mi proxy squid redireccione las peticiones que le
>llegan desde un pc de mi lan.... a un puerto 80 de otro proxy .....para que
>pueda llegar a el servidor dns definitivo??
>
>tengo dos proxys...un squid y un wingate que sale directamente a internet...
>pero los pcs de mi lan que pasan por el squid no pueden llegar por el puerto
>53 al dns.... llegan al wingate y ahi quedan...
>necesito que se redireccionen al puerto 80 para ue el squid asuma que es
>cualquier pc de la otra lan...
>
>
>  
>
As I can configure that my proxy squid redireccione the petitions that 
him> arrive since a pc of my lan. ... to a port 80 of another proxy 
.....para that> can arrive the servant dns final??  >> I have two
proxys. ..un squid and a wingate that leaves directly to> internet... 
but the pcs of my lan that pass for the squid cannot arrive> by the port 
53 al dns. ... arrive al wingate and ahi remain..  > I need that
itself redireccionen al port 80 for eu the squid assume that it is> any 
pc of the other lan.. 


Ok, this didn't work. Can someone else help out with this one? I'm still 
waiting for my squid to arrive.

Jeff

Re: proxy a dns

[Maciej Soltysiak]

Hola,

> necesito que se redireccionen al puerto 80 para ue el squid asuma que es
> cualquier pc de la otra lan...
Please read the FAQ, redirecting packets for proxy is described there.

Also please read the man pages for iptables, and look for information
about the DNAT target.

Regards,
Maciej