Shorewall users - Oct 2002 - connecting to a FTP with non standart port

hey, 
 basically what i have right now is a suse linux machine as a  router using
shorewall 1.3.9b... eth0 is the wan (24.42.114.37) and eth1  is the local
network (192.168.0.1 to 192.168.0.7) ...

now for my problem (well 2)

1) my friends ftp is running on port 103... i can connect to his ftp fine from
the linux machine.. but not from anywhere else within the internal network.

2) i can not receive files via icq



any help would be great

Derek Knapp wrote:
> hey,
>  basically what i have right now is a suse linux machine as a  router 
> using shorewall 1.3.9b... eth0 is the wan (24.42.114.37) and eth1  is 
> the local network (192.168.0.1 to 192.168.0.7) ...
>  
> now for my problem (well 2)
>  
> 1) my friends ftp is running on port 103... i can connect to his ftp 
> fine from the linux machine.. but not from anywhere else within the 
> internal network.
Please see http://www.shorewall.net/ports.htm -- look at the section on 
FTP. The technique there applies to remote as well as local servers.
>  
> 2) i can not receive files via icq
>  
My experimentation says that if you are using a Windoze ICQ client, you 
are hosed. If you use Licq, you can configure a range of ports for 
incoming requests then forward those ports to the system where you run 
your ICQ client (if you have more than one, you need to configure 
different ranges for each system and each Licq client need to be 
configured accordingly). I have had no luck with this technique using the 
Windoze ICQ2000b even though there seems to be a way in that client to 
configure incoming ports.

See http://www.shorewall.net/myfiles.htm -- I use ports 4000-4100 on my 
local system (192.168.1.3). I use static NAT so your rule will be slightly 
different if you use SNAT/Masquerading (DNAT vs ACCEPT).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Derek Knapp wrote:
> i dont 100% understand...
> 
> so i have to put licq on the linux machine?? or on the windows ones within
> the internal network...  either way what rules would i have to add
Ok -- let''s try it again.

1. I personally have had poor luck with the Windoze based ICQ client and 
masquerading firewalls but since LICQ on my Linux system works so well, I 
haven''t been very motivated to make it work. Your mileage may vary.

2. If you want to try to make your Windoze ICQ client work with Shorewall, 
I suggest that you:

    a) Configure your ICQ client to use a particular port range for 
incoming requests - I''ll assume that you will use 4000-4100. And
don''t ask
me how to do that because I don''t have the thing installed anywhere in
my
network. You''ll have to hunt around in the network configuration menu 
where firewall configuration is done. Just DON''T configure the client
to
use SOCKS.

    b) Add a simple rule to Shorewall. If your Windoze system is 
192.168.1.4, the rule is:

    DNAT net  loc:192.168.1.4    tcp   4000:4100

-Tom

PS -- It has been my experience that even though the client is configured 
to listen on the port range 4000:4100, it tends to ignore that directive 
and listens on a port of its own choosing - usually in the 7000-8000 
range. Have any other list members had different experiences?
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net