• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 533
  • Last Modified:

ident-IRC

Hello!

I have looked throught tutorials and here but found no solution. I've been trying to solve it on my own now for couple of months but I can't.
So, please help me out on this one experts. :)#

Problem:
Since I have some users on my computer and they all want to use irc I need to have a ident work properly.
I can't configure it properly because each user has the ~ in fron of the ident, like ~user@my.host.com

I don't know if that is a firewall problem or maybe something else.

Here are some files I think need to be configured.
I have Fedora Core 5 installed on my computer.

Files:
xinetd.conf:

#
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/

defaults
{
        instances               = 60
        log_type                = SYSLOG authpriv
        log_on_success          = HOST PID
        log_on_failure          = HOST
        cps                     = 25 30
}

includedir /etc/xinetd.d
______________________________
auth in /etc/xinetd.d:

# default: off
# description: The authd server handles ident protocol requests. \
# The Identification Protocol (a.k.a., "ident", a.k.a., "the Ident \
# Protocol") provides a means to determine the identity of a user of a \
# particular TCP connection.  Given a TCP port number pair, it returns \
# a character string which identifies the owner of that connection on \
# the server's system. UNDERSTAND THE RISKS REGARDING PRIVACY (I.E. \
# SPAM HARVESTERS) BEFORE RUNNING THIS DAEMON WITH NO ARGUMENTS.
service auth
{
        disable         = no
        port            = 113
        socket_type     = stream
        wait            = no
        user            = root
        cps             = 4096 10
        instances       = UNLIMITED
        server          = /usr/sbin/in.authd
        server_args     = -t60 --xerror --os -E
}

___________________________________________

And my firewall, /etc/sysconfig/iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [113:36667]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -p all -j LOG --log-level info
-A INPUT -s 209.128.72.76 -j DROP
-A INPUT -s 213.114.142.135 -j DROP
-A INPUT -s 211.255.244.32 -j DROP
-A INPUT -s 61.78.59.216 -j DROP
-A INPUT -s 210.68.188.134 -j DROP
-A INPUT -s 81.17.206.0/255.255.255.0 -j DROP
-A INPUT -s 219.84.145.125 -j DROP
-A INPUT -s 209.128.72.76 -j DROP
-A INPUT -s 81.230.140.234 -j DROP
-A INPUT -s 82.142.41.134 -j DROP
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
#For IRC_servers
#irc.ludd.luth.se, irc.desync.se, irc.swipnet.se, irc.okit.se, irc.bahnhof.se,
#ircnet.choopa.net,
#open.pl.ircnet.net
-A INPUT -s 192.121.49.1 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 194.68.21.1 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 192.71.51.129 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 192.71.51.129 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 130.240.22.200 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 216.32.207.130 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 82.146.235.2 -p tcp -m tcp --dport 113 -j ACCEPT
-A FORWARD -j RH-Firewall-1-INPUT
#ALL OUTPUT
-A OUTPUT -s 192.168.0.0/24 -o eth0 -j ACCEPT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
#For SSH-logins
#users:
#solsidan
-A RH-Firewall-1-INPUT -s 217.208.71.83 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#ammi-jakobsberg
-A RH-Firewall-1-INPUT -s 82.99.36.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#equator
-A RH-Firewall-1-INPUT -s 212.214.13.2 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#amun.gatesession.com
-A RH-Firewall-1-INPUT -s 192.168.0.20 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#IRC_SERVER
-A RH-Firewall-1-INPUT -s 192.168.0/24 -m state --state NEW -m udp -p udp --dport 6664 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0/24 -m state --state NEW -m tcp -p tcp --dport 6664 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 779 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 779 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4000:4002 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4001:4002 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 32000:34000 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 32000:34000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

______________________________________________________________________________

xinetd is running and auth as well.

Please give me suggestions or what I need to do to make the ident work :)

Thanx for all the help from you.

Best regards

/Artur


0
thtrance
Asked:
thtrance
  • 8
  • 7
1 Solution
 
NopiusCommented:
The problem is the rule order, chain 'RH-Firewall-1-INPUT' will deny everithing at the end:
-A RH-Firewall-1-INPUT -j REJECT

Place this line:
-A INPUT -j RH-Firewall-1-INPUT

Below this (really below last -A INPUT):
-A INPUT -s 82.146.235.2 -p tcp -m tcp --dport 113 -j ACCEP
0
 
thtranceAuthor Commented:
So my firewall would look like this:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [113:36667]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -p all -j LOG --log-level info
-A INPUT -s 209.128.72.76 -j DROP
-A INPUT -s 213.114.142.135 -j DROP
-A INPUT -s 211.255.244.32 -j DROP
-A INPUT -s 61.78.59.216 -j DROP
-A INPUT -s 210.68.188.134 -j DROP
-A INPUT -s 81.17.206.0/255.255.255.0 -j DROP
-A INPUT -s 219.84.145.125 -j DROP
-A INPUT -s 209.128.72.76 -j DROP
-A INPUT -s 81.230.140.234 -j DROP
-A INPUT -s 82.142.41.134 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j DROP
#For IRC_servers
#irc.ludd.luth.se, irc.desync.se, irc.swipnet.se, irc.okit.se, irc.bahnhof.se,
#ircnet.choopa.net,
#open.pl.ircnet.net
-A INPUT -s 192.121.49.1 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 194.68.21.1 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 192.71.51.129 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 192.71.51.129 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 130.240.22.200 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 216.32.207.130 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 82.146.235.2 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
#ALL OUTPUT
-A OUTPUT -s 192.168.0.0/24 -o eth0 -j ACCEPT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
#For SSH-logins
#users:
#solsidan
-A RH-Firewall-1-INPUT -s 217.208.71.83 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#ammi-jakobsberg
-A RH-Firewall-1-INPUT -s 82.99.36.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#equator
-A RH-Firewall-1-INPUT -s 212.214.13.2 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#amun.gatesession.com
-A RH-Firewall-1-INPUT -s 192.168.0.20 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#IRC_SERVER
-A RH-Firewall-1-INPUT -s 192.168.0/24 -m state --state NEW -m udp -p udp --dport 6664 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0/24 -m state --state NEW -m tcp -p tcp --dport 6664 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 779 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 779 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4000:4002 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4001:4002 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 32000:34000 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 32000:34000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Will that effect my port 22?
I need to login via ssh as well and I remembered that I did som,ething with this raw, (maybe missplaced it) but I then couldn't log in via port 22 :)

Thank you for the advice.
0
 
NopiusCommented:
Yes, this is correct ipchains table.
About ssh - you couldn't connect to it either in old or in new ipchains.

This will allow you to connect to ssh (change DROP to ACCEPT):
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
thtranceAuthor Commented:
Of course I understand.
Problem is that I have some IP:s which only have access to port 22 as you can see in #For SSH Logins section.

I might think maybe that this only is forwarded chain and do not effect the input one.
So in case of determain which IP:s I want to connect to port 22 is do the same as port 113 and have something like this:


*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [113:36667]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -p all -j LOG --log-level info
-A INPUT -s 209.128.72.76 -j DROP
-A INPUT -s 213.114.142.135 -j DROP
-A INPUT -s 211.255.244.32 -j DROP
-A INPUT -s 61.78.59.216 -j DROP
-A INPUT -s 210.68.188.134 -j DROP
-A INPUT -s 81.17.206.0/255.255.255.0 -j DROP
-A INPUT -s 219.84.145.125 -j DROP
-A INPUT -s 209.128.72.76 -j DROP
-A INPUT -s 81.230.140.234 -j DROP
-A INPUT -s 82.142.41.134 -j DROP

#For IRC_servers
#irc.ludd.luth.se, irc.desync.se, irc.swipnet.se, irc.okit.se, irc.bahnhof.se,
#ircnet.choopa.net,
#open.pl.ircnet.net
-A INPUT -s 192.121.49.1 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 194.68.21.1 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 192.71.51.129 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 192.71.51.129 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 130.240.22.200 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 216.32.207.130 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s 82.146.235.2 -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -s IP.I.WANT.TO.ALLOW -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
#ALL OUTPUT
-A OUTPUT -s 192.168.0.0/24 -o eth0 -j ACCEPT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
#For SSH-logins
#users:
#solsidan
-A RH-Firewall-1-INPUT -s 217.208.71.83 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#ammi-jakobsberg
-A RH-Firewall-1-INPUT -s 82.99.36.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#equator
-A RH-Firewall-1-INPUT -s 212.214.13.2 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#amun.gatesession.com
-A RH-Firewall-1-INPUT -s 192.168.0.20 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#IRC_SERVER
-A RH-Firewall-1-INPUT -s 192.168.0/24 -m state --state NEW -m udp -p udp --dport 6664 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.0/24 -m state --state NEW -m tcp -p tcp --dport 6664 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 779 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 779 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 4000:4002 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 4001:4002 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 32000:34000 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 32000:34000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
0
 
NopiusCommented:
Config is not exactly as good as could be, but near.

The problem is:
- INPUT chain is traversed only when packet goes to LOCAL router IP address (so your rule '-A INPUT -s IP.I.WANT.TO.ALLOW -p tcp -m tcp --dport 22 -j ACCEPT' has no meaning for outside ssh server and never be checked if IP.I.WANT.TO.ALLOW is not local).
- FORWARD chain is traversed when packet destination IP doesn't belong to your router (when yout packet passes through).

Here is a good explanation of what really hapens: http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html#ss3.2

when no table specified (as in your config), table 'filter' is used. In that picture you may see that packet for 'filter' goes either to FORWARD or to INPUT depending on routing desicion (is packet local or not).
0
 
thtranceAuthor Commented:
Well I applied thiose rules and that doesn't work either :(.

~test@c-87bb72d5.03-53-73746f48.cust.bredbandsbolaget.se when I entered an irc server.
0
 
NopiusCommented:
please give me an output of the following commands:

iptables -L -v
netstat -an | grep 113

also specify on what machine irc _client_ is running (on router itself or on some external machine behind your  router)?
Before I've assumed that it runs on router itself.
0
 
thtranceAuthor Commented:
It runs behind a router on one machine.

Here are my outputs:

/sbin/iptables -L -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     209-128-72-076.BAYAREA.NET  anywhere
    0     0 DROP       all  --  any    any     ua-213-114-142-135.cust.bredbandsbolaget.se  anywhere
    0     0 DROP       all  --  any    any     211.255.244.32       anywhere
    0     0 DROP       all  --  any    any     61.78.59.216         anywhere
    0     0 DROP       all  --  any    any     h134-210-68-188.seed.net.tw  anywhere
    0     0 DROP       all  --  any    any     81.17.206.0/24       anywhere
    0     0 DROP       all  --  any    any     219-84-145-125-adsl-tpe.static.so-net.net.tw  anywhere
    0     0 DROP       all  --  any    any     209-128-72-076.BAYAREA.NET  anywhere
    0     0 DROP       all  --  any    any     h234n3fls34o290.telia.com  anywhere
    0     0 DROP       all  --  any    any     82.142.41.134        anywhere
   12   524 ACCEPT     tcp  --  any    any     192.121.49.1         anywhere            tcp dpt:auth
   10   564 ACCEPT     tcp  --  any    any     194.68.21.1          anywhere            tcp dpt:auth
    5   286 ACCEPT     tcp  --  any    any     irc.okit.se          anywhere            tcp dpt:auth
    0     0 ACCEPT     tcp  --  any    any     irc.okit.se          anywhere            tcp dpt:auth
    4   230 ACCEPT     tcp  --  any    any     irc.ludd.ltu.se      anywhere            tcp dpt:auth
   11   624 ACCEPT     tcp  --  any    any     ircnet.choopa.com    anywhere            tcp dpt:auth
    8   460 ACCEPT     tcp  --  any    any     open.pl.ircnet.net   anywhere            tcp dpt:auth
 1493 96548 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
  575 84405 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  any    any     anywhere             anywhere            LOG level info
    0     0 RH-Firewall-1-INPUT  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 2 packets, 134 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2112  331K ACCEPT     all  --  any    eth0    192.168.0.0/24       anywhere

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    2   134 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp any
    0     0 ACCEPT     ipv6-crypt--  any    any     anywhere             anywhere
    0     0 ACCEPT     ipv6-auth--  any    any     anywhere             anywhere
    9  1990 ACCEPT     udp  --  any    any     anywhere             224.0.0.251         udp dpt:mdns
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ipp
  541 79170 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    4   240 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:https
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ftp
    0     0 ACCEPT     tcp  --  any    any     h83n2fls34o891.telia.com  anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     82.99.36.0/24        anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     host-212.214.13.2.addr.tdcsong.se  anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     amun.gatesession.com  anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     udp  --  any    any     192.168.0.0/24       anywhere            state NEW udp dpt:6664
    0     0 ACCEPT     tcp  --  any    any     192.168.0.0/24       anywhere            state NEW tcp dpt:6664
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:telnet
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:sunrpc
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpt:sunrpc
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:779
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpt:779
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:nfs
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpt:nfs
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:terabase:pxc-spvr-ft
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpts:newoak:pxc-spvr-ft
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpts:32000:34000
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            state NEW udp dpts:32000:34000
   19  2871 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

________________________________________________________________________________________________________-

netstat -an | grep 113

bash-3.1# netstat -an | grep 113
tcp        0      0 0.0.0.0:113                 0.0.0.0:*                   LISTEN
unix  2      [ ]         DGRAM                    1135   @/org/kernel/udev/udevd
0
 
NopiusCommented:
'It runs behind a router on one machine.' that's a problem.
identd _should_ run on 'client' machine and your firewall should ACCEPT 113 port in FORWARD chain.

Also your client machine should have real IP address (not NATed).
If your client machine is behind 'NAT' and has fake IP addresses, it's quiet complex to tune your firewall to forward auth request from server (really AUTH request will come to router's IP because client is NAT-ed) back to internal client.

As I see:
4   230 ACCEPT     tcp  --  any    any     irc.ludd.ltu.se      anywhere            tcp dpt:auth
11   624 ACCEPT     tcp  --  any    any     ircnet.choopa.com    anywhere            tcp dpt:auth
8   460 ACCEPT     tcp  --  any    any     open.pl.ircnet.net   anywhere            tcp dpt:auth

all AUTH requests are coming to INPUT chain (so they are for local IP address of your router) and your clients are probably NATed.

Try to IRC from router itself (just for shure) and identd should work then. Otherwise you need to configure stateful firewal rules.


0
 
thtranceAuthor Commented:
I understand.
Thank you for the tip. I will have a look at it. :)
0
 
thtranceAuthor Commented:
Hmm, I can also buy a Switch and not a Router?
0
 
NopiusCommented:
I don't know address allocation and your network topology. In most cases switch is not enough.

I see two solutions for you.
1) You may run fake identd on your RedHat (which will always confirm same user)
2) You may configure port forwarding from your router to machine with IRC for TCP  port 113.
3) You may configure one extra IP on your router (if you have more then one internet IP) and configure one-to-one static NAT for single machine (with IRC), so it will always be mapped to external IP.

If you choose 2) or 3) it's importent to tune your NAT to preserve source TCP port number. Otherwise AUTH will not work. Also you need to run identd on client nachine.
0
 
thtranceAuthor Commented:
I port forwarded port number 113 to my machine behind the router on wich IRC-clients run on.
Now I will deal with the "if you choose 2), 3) hint you typed.

Thank you.
0
 
NopiusCommented:
There is a problem with ident protocol itself.

It asks to identify TCP connection by means of sending TCP source port number back to client. When port is unpropelly 'forwarded', on client machine there will be another TCP source port number then it seems to server.
So, forwarding must be done one-to-one (without dynamical source port allocation). That's why I suggested to use one-to-one IP mapping, that's much easier then tuning your NAT for such behaveor. Typycal NAT will substitute port number when forwarding packets.
0
 
thtranceAuthor Commented:
Thanx .. I don't really understand what I need to do (practically) but I will find out and dig to the iptables some more =).
I'm sorry but I'm pretty new to iptables etc.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now