A few questions

[Rocco Stanzione <iptables@linuxkungfu.org>]

I have a few questions about iptables, and about some of the traffic I've seen 
on this list.

1) I've successfully set up DNAT so that I can, say, request port 81 on the 
firewall/gateway box and hit the webserver on port 80 on a box behind the 
gateway.  No problem.  But it doesn't work on the LAN.  I understand why, 
after reading some docs, but I've been trying to find a way around it.  
Problem is, I don't know what all iptables will auto-reverse for me and what 
I need to specify.  For example, I suppose I could SNAT local connections 
through the gateway --to-source $GATEWAYIP, but would returning packets be 
taken care of, or must I come up with a rule for that?  I've tried both 
without success.

2) Quite a few people are using my iptables script, and the most common 
complaint I get is dcc failure.  ip_conntrack_irc (and everything else) is 
compiled into my (monolithic) kernel.  Most people don't have this setup.  
Dcc of course works for me.  I have the user modprobe ip_conntrack_irc, and 
typically it still doesn't work for them.  Logs show it failing at a 
catch-all rule, which tells me conntrack isn't working.  However if we add 
ip_conntrack_irc to /etc/modules and reboot, all is well.  So, 2a) why is 
this? and 2b) surely there's something less drastic than a reboot that will 
put ip_conntrack_irc to work?

3) I see quite a few messages on the list about people going to a great deal 
of trouble to get a VPN connection to NAT through an iptables firewall.  I 
have an always-on PPTP connection to the M$ VPN server at work, and I have 
never had to do anything special to get it to work.  I have to assume, then, 
that I have some liberal rule or policy that is likely insecure, and I wonder 
what it could be.  I'm afraid I don't have a pasteable rule set, as it's 
spread out across config files and such.  If anyone cares to pore over it, 
it's at http://www.linuxkungfu.org/ipkungfu-0.2.0.tgz

Thanks!

Rocco