ipchains and DC

[Guest_imported]

Hi.
I have trouble with ipchains on my server.
I can use ftp, ssh and more on my client but i'cant use DC, very strange :-(

What could the correct chain look like to put DC on the internet ?

(DC = Direct connect)

Thanks

//Fredrik

 

[ifincham]

Hi,

Well by the look of -->

http://www.neo-modus.com/?page=Help

you would need to allow port 412 both ways for TCP and for UDP.

Are you using a ipchains tool to generate the rules or coding them yourself ?

Regards

 

[Guest_imported]

Hi.
Yes, I need to open up port 412 for TCP and UDP.

But what will the chain look like ?
I don't know much about ipchains at all.

 

[marsd]

What you guys say doesn't make any sense, but okay. (How can you multiplex a single socket.) Probably
the receiving port is high unprivileged.
1024-65000.

ipchains -A output -s mynetwork -d 0/0 -p tcp 412 -j ACCEPT
ipchains -A input -s 0/0 -d mynetwork -p tcp
1024:5900 -j ACCEPT
ipchains -A input -s 0/0 -d mynetwork -p tcp
30000:65000 -j ACCEPT

basic rules for out and in chains: then you
can RTFM pages and figure out how you want this to work in optimally.

 

[ifincham]

Hi,

When I said both ways I didn't mean 412 <-> 412... I meant both [remote -> 412 inbound] and [local -> remote 412 outbound] !

Anyway, I've had a quick look at it now and it does indeed seem to listen by default for inbound connections on tcp port 412 (this is not linux/unix so anyone can bind a privliged port!) and connect to others from an unprivileged client port to 411 or 412 (user configurable). Presumably, UDP is used for actual file transfers.

Before trying to define any firewall rules, how are you using this DC software - from a lan attached windows box going via linux ? If so, are you using IP masquerading already ? The ipchains rules can be a bit complicated when linux is used as a gateway because you have to code the input, output and forward chains.

Regards

 

[Guest_imported]

Yes, I'm using DC from a lan attached windows box going via linux and i using IP masqurading to.

It would be great if you could help me with this problem, I can't figure it out myself.

//Fredda

 

[Guest_imported]

Hi again.
Maybe I can delete all rules while I'm using DC and then turn it back on when I done.

The ide is to allow everything to anywhere in ipchains, can it be done with only some lines ??

//Fredda

 

[ifincham]

Hi,

The simplest masquerading you can have is just to forward everything - the only problem is that you have no firewall functionality active on the linux box unless you have some 'input' and 'output' rules and thats not really a good idea nowadays with all those script kiddies out there...

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth1 -s 172.16.16.0/24 -j MASQ

(where 'eth1' is an example of whatever your internet interface is called and '172.16.16.0/24' is an example of your internal lan address range. Another example would be '192.168.0.0/16'. )

The above does not mention protocol so would masquerade all tcp/udp traffic passing through the linux box out of the -i interface. See -->

http://netfilter.samba.org/ipchains/HOWTO.html

.

Note, however, what it says in the DC faq :

&quot; To make Direct Connect work properly with your NATing router, you must enter your routers WAN IP address in Direct Connect's &quot;Force Direct Connect to report this IP address&quot; text box, and check associated check box. &quot;

IP masquerading is a form of source NAT (network address translation) whereby all the packets that leave the linux box appear to have originated from that same linux box (i.e. its' internet interface IP address). So you might have to try setting that 'WAN address' as mentioned above. It could be even more complicated if you go from linux to a DSL router or suchlike because that itself may use another layer of NAT. Anyway, try it out....

Regards

 

[Nostradamus]

Don't know if I remember correctly, but doesn't the hubs run on port 401?
Perhaps you must enable that one as well? /Sören