* DCC ...
@ 2002-06-09 15:27 Fred Richards
2002-06-09 15:39 ` DCC Martin Josefsson
0 siblings, 1 reply; 4+ messages in thread
From: Fred Richards @ 2002-06-09 15:27 UTC (permalink / raw)
To: netfilter
Ok, I have IPtables 1.2.6a and using kernel 2.4.18. Everything is
working great, but I keep getting this error message when I try and DCC:
Forged DCC command from 172.16.0.5: 24.92.231.26:4300
Forged DCC command from 172.16.0.5: 24.92.231.26:4399
Forged DCC command from 172.16.0.5: 24.92.231.26:4405
Forged DCC command from 172.16.0.5: 24.92.231.26:4854
I am not using modules, I have everything statically compiled into the
kernel (yes including IRC and FTP support...) Is there something else
I'm missing?
Appearently anyone can DCC us but we cannot dcc out... any help would
be appreciated ...
-- Fred
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: DCC ...
2002-06-09 15:27 DCC Fred Richards
@ 2002-06-09 15:39 ` Martin Josefsson
2002-06-10 1:36 ` DCC Fred Richards
0 siblings, 1 reply; 4+ messages in thread
From: Martin Josefsson @ 2002-06-09 15:39 UTC (permalink / raw)
To: Fred Richards; +Cc: Netfilter
[-- Attachment #1: Type: text/plain, Size: 1265 bytes --]
On Sun, 2002-06-09 at 17:27, Fred Richards wrote:
> Ok, I have IPtables 1.2.6a and using kernel 2.4.18. Everything is
> working great, but I keep getting this error message when I try and DCC:
>
> Forged DCC command from 172.16.0.5: 24.92.231.26:4300
> Forged DCC command from 172.16.0.5: 24.92.231.26:4399
> Forged DCC command from 172.16.0.5: 24.92.231.26:4405
> Forged DCC command from 172.16.0.5: 24.92.231.26:4854
>
> I am not using modules, I have everything statically compiled into the
> kernel (yes including IRC and FTP support...) Is there something else
> I'm missing?
>
> Appearently anyone can DCC us but we cannot dcc out... any help would
> be appreciated ...
The problem is that you've set your irc-client to use the ip the
irc-server sees, not the real ip of your client and then
ip_conntrack_irc refuses to cooperate.
Solution #1: change your client to use the real ip (172.16.0.5) and not
the ip the irc-server sees.
Solution #2: apply the attached patch to a iptables source-tree and then
apply the irc-natip.patch in the extra/ repository and then recompile
your kernel. This patch makes ip_conntrack_irc allow both ip's.
--
/Martin
Never argue with an idiot. They drag you down to their level, then beat
you with experience.
[-- Attachment #2: irc-natip.diff --]
[-- Type: text/x-patch, Size: 1786 bytes --]
diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch netfilter/userspace/patch-o-matic/extra/irc-natip.patch
--- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch Fri Apr 5 16:02:50 2002
@@ -0,0 +1,20 @@
+--- linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c.orig Fri Apr 5 00:50:43 2002
++++ linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c Fri Apr 5 15:54:20 2002
+@@ -183,7 +183,7 @@
+ DEBUGP("DCC bound ip/port: %u.%u.%u.%u:%u\n",
+ HIPQUAD(dcc_ip), dcc_port);
+
+- if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip)) {
++ if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip) && ct->tuplehash[!dir].tuple.dst.ip != htonl(dcc_ip)) {
+ if (net_ratelimit())
+ printk(KERN_WARNING
+ "Forged DCC command from "
+@@ -209,7 +209,7 @@
+
+ exp->tuple = ((struct ip_conntrack_tuple)
+ { { 0, { 0 } },
+- { htonl(dcc_ip), { htons(dcc_port) },
++ { ct->tuplehash[dir].tuple.src.ip, { htons(dcc_port) },
+ IPPROTO_TCP }});
+ exp->mask = ((struct ip_conntrack_tuple)
+ { { 0, { 0 } },
diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help
--- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help Thu Jan 1 01:00:00 1970
+++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help Fri Apr 5 16:02:50 2002
@@ -0,0 +1,6 @@
+Author: Martin Josefsson <gandalf@wlug.westbo.se>
+Status: Works for me
+
+This patch adds support for using the external ip in DCC requests.
+ip_conntrack_irc now supports two ip's, the ip of the client and
+the external ip after NAT.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: DCC ...
2002-06-09 15:39 ` DCC Martin Josefsson
@ 2002-06-10 1:36 ` Fred Richards
2002-06-10 8:48 ` DCC Martin Josefsson
0 siblings, 1 reply; 4+ messages in thread
From: Fred Richards @ 2002-06-10 1:36 UTC (permalink / raw)
To: Netfilter
I haven't tried the patch yet, but I have tried upgrading my kernel to
the latest 2.4 kernel (2.4.19-pre10). Still doesn't appear to work,
although I have tried putting in my actual ip address (172.16.0.5). I
also cannot find the irc-natip.patch anywhere... doesn't seem to be in
the iptables 1.2.6a source tree. Another curiosity ... I see the
default port for irc (and how netfilter sees related connections) is
port 6667... having my wife do most of the testing from her machine ...
most of the time she's connecting to port 6668 ... hmmm ...
Martin Josefsson wrote:
> On Sun, 2002-06-09 at 17:27, Fred Richards wrote:
>
>>Ok, I have IPtables 1.2.6a and using kernel 2.4.18. Everything is
>>working great, but I keep getting this error message when I try and DCC:
>>
>>Forged DCC command from 172.16.0.5: 24.92.231.26:4300
>>Forged DCC command from 172.16.0.5: 24.92.231.26:4399
>>Forged DCC command from 172.16.0.5: 24.92.231.26:4405
>>Forged DCC command from 172.16.0.5: 24.92.231.26:4854
>>
>>I am not using modules, I have everything statically compiled into the
>>kernel (yes including IRC and FTP support...) Is there something else
>>I'm missing?
>>
>> Appearently anyone can DCC us but we cannot dcc out... any help would
>>be appreciated ...
>
>
> The problem is that you've set your irc-client to use the ip the
> irc-server sees, not the real ip of your client and then
> ip_conntrack_irc refuses to cooperate.
>
> Solution #1: change your client to use the real ip (172.16.0.5) and not
> the ip the irc-server sees.
>
> Solution #2: apply the attached patch to a iptables source-tree and then
> apply the irc-natip.patch in the extra/ repository and then recompile
> your kernel. This patch makes ip_conntrack_irc allow both ip's.
>
>
>
> ------------------------------------------------------------------------
>
> diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch netfilter/userspace/patch-o-matic/extra/irc-natip.patch
> --- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch Thu Jan 1 01:00:00 1970
> +++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch Fri Apr 5 16:02:50 2002
> @@ -0,0 +1,20 @@
> +--- linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c.orig Fri Apr 5 00:50:43 2002
> ++++ linux-2.4.19-pre3-NAPI/net/ipv4/netfilter/ip_conntrack_irc.c Fri Apr 5 15:54:20 2002
> +@@ -183,7 +183,7 @@
> + DEBUGP("DCC bound ip/port: %u.%u.%u.%u:%u\n",
> + HIPQUAD(dcc_ip), dcc_port);
> +
> +- if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip)) {
> ++ if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip) && ct->tuplehash[!dir].tuple.dst.ip != htonl(dcc_ip)) {
> + if (net_ratelimit())
> + printk(KERN_WARNING
> + "Forged DCC command from "
> +@@ -209,7 +209,7 @@
> +
> + exp->tuple = ((struct ip_conntrack_tuple)
> + { { 0, { 0 } },
> +- { htonl(dcc_ip), { htons(dcc_port) },
> ++ { ct->tuplehash[dir].tuple.src.ip, { htons(dcc_port) },
> + IPPROTO_TCP }});
> + exp->mask = ((struct ip_conntrack_tuple)
> + { { 0, { 0 } },
> diff -urN netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help
> --- netfilter/userspace/patch-o-matic/extra.orig/irc-natip.patch.help Thu Jan 1 01:00:00 1970
> +++ netfilter/userspace/patch-o-matic/extra/irc-natip.patch.help Fri Apr 5 16:02:50 2002
> @@ -0,0 +1,6 @@
> +Author: Martin Josefsson <gandalf@wlug.westbo.se>
> +Status: Works for me
> +
> +This patch adds support for using the external ip in DCC requests.
> +ip_conntrack_irc now supports two ip's, the ip of the client and
> +the external ip after NAT.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: DCC ...
2002-06-10 1:36 ` DCC Fred Richards
@ 2002-06-10 8:48 ` Martin Josefsson
0 siblings, 0 replies; 4+ messages in thread
From: Martin Josefsson @ 2002-06-10 8:48 UTC (permalink / raw)
To: Fred Richards; +Cc: Netfilter
On Mon, 2002-06-10 at 03:36, Fred Richards wrote:
> I haven't tried the patch yet, but I have tried upgrading my kernel to
> the latest 2.4 kernel (2.4.19-pre10). Still doesn't appear to work,
> although I have tried putting in my actual ip address (172.16.0.5). I
> also cannot find the irc-natip.patch anywhere... doesn't seem to be in
> the iptables 1.2.6a source tree. Another curiosity ... I see the
> default port for irc (and how netfilter sees related connections) is
> port 6667... having my wife do most of the testing from her machine ...
> most of the time she's connecting to port 6668 ... hmmm ...
I attached the patch and you actually quoted it in your reply.
the irc extension to the conntracking only listens to port 6667 by
default and can only be changed by either changeing the source or having
it as a module and using the ports= parameter.
If you did set the ip to 172.16.0.5 _and_ connected to port 6667 and it
still didn't work then my next question would be if you have the
neccessary rules to allow RELATED connections from outside into your
network? ie. iptables -A FORWARD -i eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
--
/Martin
Never argue with an idiot. They drag you down to their level, then beat
you with experience.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-06-10 8:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-09 15:27 DCC Fred Richards
2002-06-09 15:39 ` DCC Martin Josefsson
2002-06-10 1:36 ` DCC Fred Richards
2002-06-10 8:48 ` DCC Martin Josefsson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.