DCC sends from behind Iptables firewall with Mirc Client.

Alistair Tonner Alistair@alistairt.2y.net
Fri, 22 Mar 2002 13:52:13 -0500 

	Okay folks:

	I've sent this direct to Oscar (thanks for great tutorials guy)

	I've sent this direct to Mirc's creator.

	Big block capitals on several websites, hopefully the 
patch-o-matic
	help file and stamped smack in the middle of my forhead for all 
to see

	After building, rebuilding, trying, twisting, hammering and 
whatnot,
	I've finally thumped through enough of the messages in my 
mailbox
	(I've all the mail digest from the mailinglists for about the 
last
	three months) I finally noted that at least three other people 
have
	see this problem.

	1) DCC sends DO NOT work from Mirc client when behind IPtables 
firewall with
	   DCC modules (nat/conntrack) loaded, but other clients do 
succeed, Mirc in default 'i'm behind a
	   firewall configuration'.

	2) using Mirc in the standard 'i'm behind a firewall' 
configuration works for
	   connection to server, chatting, getting files.

	3) Iptables spits up a Forged DCC send packet error when the 
above default configuration	 
	   attempts a DCC send.

	4) the issue lies with the default 'I'm behind a firewall 
configuration'  Mirc does NOT
	   expect the firewall to be smart enough to handle natting the 
send properly between the
	   three (3) relevant points (client here, server, client 
there) and thus dummies in the
	   outside ip that it has been TOLD by the IRC server it has 
... which IpTables sees as
	   a no-no.

	5) setting Mirc to behave as if it is NOT behind a firewall 
allows *all* functionality
	   transparently, AS LONG AS the IRC server PORT is in the 
(insmod irc_nat and insmod irc_conntrack)
	   commands.

	  (P.S. Core team -- I personally Upped the #define MAX_PORTS 
in both ip_conntrack_irc.c and
	  ip_nat_irc.c to 20 -- the clients I've looked at seem to use 
other ports that I'm slightly leery
	  of adding to the list.... but ... )

	I've several installations of Iptables where this has been 
driving me out of my tree over the last
	few weeks, 'specially since I'd thought from reading that irc 
stuff was now all functional
	on 2.4.14 or > and iptables 1.2.4 or >

	(personally I'd though it was a lack of sleep and a lack of 
coffee on my part causing the problem)

	Since the irc stuff in iptables DOES work *thanks Harald and 
*EVERYONE* else on the netfilter team*
	I think it important that everyone using the combined packages 
be told, advised, warned, and
	beaten on until they leave the poor sysadmins to their duties 
.. *grin*

	Can the above combined list of bodies plaster this in as many 
places as possible?

	Please and thank you and on bended knee ....



	Alistair Tonner