icq client and iptables

I'm running a linux desktop which accesses the internet via NAT on a
linux box configured with iptables. I can't get licq, kopete or in a
java-enabled mozilla at go.icq.com to access an icq server.

My linux desktop icq client network settings are:

server: login.icq.com
port: 5190
listen 1024-65535 (I want to eventually limit this somehow)

I added these rules to the firewall (samething, just adds both
udp/tcp):

iptables -t nat -A PREROUTING -p tcp --destination-port 1024:65535 -i
eth0 -j DNAT --to 192.168.2.25

iptables -t nat -A PREROUTING -p udp --destination-port 1024:65535 -i
eth0 -j DNAT --to 192.168.2.25

My internal ip is 192.168.2.25 .

It still doen't work. Any ideas?
iksrazal

iksrazal schrieb:
> I'm running a linux desktop which accesses the internet via NAT on a
> linux box configured with iptables. I can't get licq, kopete or in a
> java-enabled mozilla at go.icq.com to access an icq server.
>
> My linux desktop icq client network settings are:
>
> server: login.icq.com
> port: 5190
> listen 1024-65535 (I want to eventually limit this somehow)
>
> I added these rules to the firewall (samething, just adds both
> udp/tcp):
>
> iptables -t nat -A PREROUTING -p tcp --destination-port 1024:65535 -i
> eth0 -j DNAT --to 192.168.2.25
>
> iptables -t nat -A PREROUTING -p udp --destination-port 1024:65535 -i
> eth0 -j DNAT --to 192.168.2.25
>
> My internal ip is 192.168.2.25 .
>
> It still doen't work. Any ideas?
> iksrazal


iptables -t nat -A PREROUTING -p tcp --destination-port 1024: -i
eth0 -j DNAT --to 192.168.2.25
iptables -t nat -A PREROUTING -p udp --destination-port 1024: -i
eth0 -j DNAT --to 192.168.2.25

iptables -A FORWARD -i eth0 -d 192.168.2.25 -o eth1 -j ACCEPT

Sebastian Eidner <guerillia@gmx.de> wrote:
> iksrazal schrieb:
>> I'm running a linux desktop which accesses the internet via NAT on a
>> linux box configured with iptables. I can't get licq, kopete or in a
>> java-enabled mozilla at go.icq.com to access an icq server.
>>
>> My linux desktop icq client network settings are:
>>
>> server: login.icq.com
>> port: 5190
>> listen 1024-65535 (I want to eventually limit this somehow)
>>
>> I added these rules to the firewall (samething, just adds both
>> udp/tcp):
>>
>> iptables -t nat -A PREROUTING -p tcp --destination-port 1024:65535 -i
>> eth0 -j DNAT --to 192.168.2.25
>>
>> iptables -t nat -A PREROUTING -p udp --destination-port 1024:65535 -i
>> eth0 -j DNAT --to 192.168.2.25
>>
>> My internal ip is 192.168.2.25 .
>>
>> It still doen't work. Any ideas?
>> iksrazal
>
>
> iptables -t nat -A PREROUTING -p tcp --destination-port 1024: -i
> eth0 -j DNAT --to 192.168.2.25
> iptables -t nat -A PREROUTING -p udp --destination-port 1024: -i
> eth0 -j DNAT --to 192.168.2.25
>
> iptables -A FORWARD -i eth0 -d 192.168.2.25 -o eth1 -j ACCEPT
>

Or without PREROUTING:

iptables -A FORWARD -i $intern_ip -s 192.168.2.25 -m state --state NEW
-j ACCEPT

iptables -A FORWARD -d 192.168.2.25 -m state --state RELATED,ESTABLISHED
-j ACCEPT

-> Allow new connection from your ip. Everthing which is initiated from
your ip and belongs to a persisten connection is allowed.
No problem to tight up this.

cu.
-harti

Discard my comments on DCC. Something misregistered in my head, and I was
reading this as a question about IRC, not ICQ.... Oops.

> Or without PREROUTING:
>
> iptables -A FORWARD -i $intern_ip -s 192.168.2.25 -m state --state NEW
> -j ACCEPT
>
> iptables -A FORWARD -d 192.168.2.25 -m state --state RELATED,ESTABLISHED
> -j ACCEPT
>
> -> Allow new connection from your ip. Everthing which is initiated from
> your ip and belongs to a persisten connection is allowed.
> No problem to tight up this.

This is the way I have it setup as well (just in the FORWARD chain as a
RELATED,ESTABLISHED rule). The only thing that is broken by this kind of
setup is DCC SEND. The Windows client mIRC has a setting that allows you to
restrict the port-range that DCC uses. You can then forward this new
restricted port-range directly to the correct box by using the PREROUTING
chain as the OP proposed. On Linux I've used xchat and KSirc and neither of
these clients have the ability to restrict the port for DCC initiated on
your side. I know it seems kind of counter-intuitive that DCC SEND would be
broken, not DCC GET, but this is how it work with this particular protocol.
There's probably an IRC client out there for Linux that does have the port
restricting capabilities, but I haven't looked.

Durk