* DCC ... @ 2002-06-09 15:27 Fred Richards 2002-06-09 15:39 ` DCC Martin Josefsson 0 siblings, 1 reply; 4+ messages in thread From: Fred Richards @ 2002-06-09 15:27 UTC (permalink / raw) To: netfilter Ok, I have IPtables 1.2.6a and using kernel 2.4.18. Everything is working great, but I keep getting this error message when I try and DCC: Forged DCC command from 172.16.0.5: 24.92.231.26:4300 Forged DCC command from 172.16.0.5: 24.92.231.26:4399 Forged DCC command from 172.16.0.5: 24.92.231.26:4405 Forged DCC command from 172.16.0.5: 24.92.231.26:4854 I am not using modules, I have everything statically compiled into the kernel (yes including IRC and FTP support...) Is there something else I'm missing? Appearently anyone can DCC us but we cannot dcc out... any help would be appreciated ... -- Fred ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: DCC ... 2002-06-09 15:27 DCC Fred Richards @ 2002-06-09 15:39 ` Martin Josefsson 2002-06-10 1:36 ` DCC Fred Richards 0 siblings, 1 reply; 4+ messages in thread From: Martin Josefsson @ 2002-06-09 15:39 UTC (permalink / raw) To: Fred Richards; +Cc: Netfilter [-- Attachment #1: Type: text/plain, Size: 1265 bytes --] On Sun, 2002-06-09 at 17:27, Fred Richards wrote: > Ok, I have IPtables 1.2.6a and using kernel 2.4.18. Everything is > working great, but I keep getting this error message when I try and DCC: > > Forged DCC command from 172.16.0.5: 24.92.231.26:4300 > Forged DCC command from 172.16.0.5: 24.92.231.26:4399 > Forged DCC command from 172.16.0.5: 24.92.231.26:4405 > Forged DCC command from 172.16.0.5: 24.92.231.26:4854 > > I am not using modules, I have everything statically compiled into the > kernel (yes including IRC and FTP support...) Is there something else > I'm missing? > > Appearently anyone can DCC us but we cannot dcc out... any help would > be appreciated ... The problem is that you've set your irc-client to use the ip the irc-server sees, not the real ip of your client and then ip_conntrack_irc refuses to cooperate. Solution #1: change your client to use the real ip (172.16.0.5) and not the ip the irc-server sees. Solution #2: apply the attached patch to a iptables source-tree and then apply the irc-natip.patch in the extra/ repository and then recompile your kernel. This patch makes ip_conntrack_irc allow both ip's. -- /Martin Never argue with an idiot. They drag you down to their level, then beat you with experience. [-- Attachment #2: irc-natip.diff --] [-- Type: text/x-patch, Size: 1786 bytes --] diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch netfilter/userspace/patch-o-matic/extra/irc-natip.patch --- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch Thu Jan 1 01:00:00 1970 +++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch Fri Apr 5 16:02:50 2002 @@ -0,0 +1,20 @@ +--- linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c.orig Fri Apr 5 00:50:43 2002 ++++ linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c Fri Apr 5 15:54:20 2002 +@@ -183,7 +183,7 @@ + DEBUGP("DCC bound ip/port: %u.%u.%u.%u:%u\n", + HIPQUAD(dcc_ip), dcc_port); + +- if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip)) { ++ if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip) && ct->tuplehash[!dir].tuple.dst.ip != htonl(dcc_ip)) { + if (net_ratelimit()) + printk(KERN_WARNING + "Forged DCC command from " +@@ -209,7 +209,7 @@ + + exp->tuple = ((struct ip_conntrack_tuple) + { { 0, { 0 } }, +- { htonl(dcc_ip), { htons(dcc_port) }, ++ { ct->tuplehash[dir].tuple.src.ip, { htons(dcc_port) }, + IPPROTO_TCP }}); + exp->mask = ((struct ip_conntrack_tuple) + { { 0, { 0 } }, diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help --- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help Thu Jan 1 01:00:00 1970 +++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help Fri Apr 5 16:02:50 2002 @@ -0,0 +1,6 @@ +Author: Martin Josefsson <gandalf@wlug.westbo.se> +Status: Works for me + +This patch adds support for using the external ip in DCC requests. +ip_conntrack_irc now supports two ip's, the ip of the client and +the external ip after NAT. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: DCC ... 2002-06-09 15:39 ` DCC Martin Josefsson @ 2002-06-10 1:36 ` Fred Richards 2002-06-10 8:48 ` DCC Martin Josefsson 0 siblings, 1 reply; 4+ messages in thread From: Fred Richards @ 2002-06-10 1:36 UTC (permalink / raw) To: Netfilter I haven't tried the patch yet, but I have tried upgrading my kernel to the latest 2.4 kernel (2.4.19-pre10). Still doesn't appear to work, although I have tried putting in my actual ip address (172.16.0.5). I also cannot find the irc-natip.patch anywhere... doesn't seem to be in the iptables 1.2.6a source tree. Another curiosity ... I see the default port for irc (and how netfilter sees related connections) is port 6667... having my wife do most of the testing from her machine ... most of the time she's connecting to port 6668 ... hmmm ... Martin Josefsson wrote: > On Sun, 2002-06-09 at 17:27, Fred Richards wrote: > >>Ok, I have IPtables 1.2.6a and using kernel 2.4.18. Everything is >>working great, but I keep getting this error message when I try and DCC: >> >>Forged DCC command from 172.16.0.5: 24.92.231.26:4300 >>Forged DCC command from 172.16.0.5: 24.92.231.26:4399 >>Forged DCC command from 172.16.0.5: 24.92.231.26:4405 >>Forged DCC command from 172.16.0.5: 24.92.231.26:4854 >> >>I am not using modules, I have everything statically compiled into the >>kernel (yes including IRC and FTP support...) Is there something else >>I'm missing? >> >> Appearently anyone can DCC us but we cannot dcc out... any help would >>be appreciated ... > > > The problem is that you've set your irc-client to use the ip the > irc-server sees, not the real ip of your client and then > ip_conntrack_irc refuses to cooperate. > > Solution #1: change your client to use the real ip (172.16.0.5) and not > the ip the irc-server sees. > > Solution #2: apply the attached patch to a iptables source-tree and then > apply the irc-natip.patch in the extra/ repository and then recompile > your kernel. This patch makes ip_conntrack_irc allow both ip's. > > > > ------------------------------------------------------------------------ > > diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch netfilter/userspace/patch-o-matic/extra/irc-natip.patch > --- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch Thu Jan 1 01:00:00 1970 > +++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch Fri Apr 5 16:02:50 2002 > @@ -0,0 +1,20 @@ > +--- linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c.orig Fri Apr 5 00:50:43 2002 > ++++ linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c Fri Apr 5 15:54:20 2002 > +@@ -183,7 +183,7 @@ > + DEBUGP("DCC bound ip/port: %u.%u.%u.%u:%u\n", > + HIPQUAD(dcc_ip), dcc_port); > + > +- if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip)) { > ++ if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip) && ct->tuplehash[!dir].tuple.dst.ip != htonl(dcc_ip)) { > + if (net_ratelimit()) > + printk(KERN_WARNING > + "Forged DCC command from " > +@@ -209,7 +209,7 @@ > + > + exp->tuple = ((struct ip_conntrack_tuple) > + { { 0, { 0 } }, > +- { htonl(dcc_ip), { htons(dcc_port) }, > ++ { ct->tuplehash[dir].tuple.src.ip, { htons(dcc_port) }, > + IPPROTO_TCP }}); > + exp->mask = ((struct ip_conntrack_tuple) > + { { 0, { 0 } }, > diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help > --- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help Thu Jan 1 01:00:00 1970 > +++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help Fri Apr 5 16:02:50 2002 > @@ -0,0 +1,6 @@ > +Author: Martin Josefsson <gandalf@wlug.westbo.se> > +Status: Works for me > + > +This patch adds support for using the external ip in DCC requests. > +ip_conntrack_irc now supports two ip's, the ip of the client and > +the external ip after NAT. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: DCC ... 2002-06-10 1:36 ` DCC Fred Richards @ 2002-06-10 8:48 ` Martin Josefsson 0 siblings, 0 replies; 4+ messages in thread From: Martin Josefsson @ 2002-06-10 8:48 UTC (permalink / raw) To: Fred Richards; +Cc: Netfilter On Mon, 2002-06-10 at 03:36, Fred Richards wrote: > I haven't tried the patch yet, but I have tried upgrading my kernel to > the latest 2.4 kernel (2.4.19-pre10). Still doesn't appear to work, > although I have tried putting in my actual ip address (172.16.0.5). I > also cannot find the irc-natip.patch anywhere... doesn't seem to be in > the iptables 1.2.6a source tree. Another curiosity ... I see the > default port for irc (and how netfilter sees related connections) is > port 6667... having my wife do most of the testing from her machine ... > most of the time she's connecting to port 6668 ... hmmm ... I attached the patch and you actually quoted it in your reply. the irc extension to the conntracking only listens to port 6667 by default and can only be changed by either changeing the source or having it as a module and using the ports= parameter. If you did set the ip to 172.16.0.5 _and_ connected to port 6667 and it still didn't work then my next question would be if you have the neccessary rules to allow RELATED connections from outside into your network? ie. iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT -- /Martin Never argue with an idiot. They drag you down to their level, then beat you with experience. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-06-10 8:48 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2002-06-09 15:27 DCC Fred Richards 2002-06-09 15:39 ` DCC Martin Josefsson 2002-06-10 1:36 ` DCC Fred Richards 2002-06-10 8:48 ` DCC Martin Josefsson
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.