Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. User
Iptables and isdn connection
gelpi at corona
Jul 27, 2001, 12:21 AM
Post #1 of 5 (815 views)
Permalink
I have a RH 7.1 on a PC I use as gateway to internet for a small lan.
So I have:
kernel 2.4.2-2
iptables 1.2.1a

My lan use ip 192.168.0.x
Linux PC has IP 192.168.0.101

Using isdn-config i setup isdn card, added a provider. I setup autodial
also.
I can connect to my provider and navigate Internet.

Then I added the following roule to netfilter:

iptables -t nat -A POSTROUTING -s 192.168.0/24 -o ippp0 -j MASQUERADE

With this I can navigate Internet from my lan.

My problem is that the first request from my lan.

Using tcpdump and adding some rules with target LOG in netfilter I can see
the following:

The request transit the nat PREROUTING chain, then the FORWARD chain and
then the nat POSTROUTING chain. Here the source ip is changed.

Soon after a reboot POSTROUTING chain assign ip 192.168.0.101 as source
IP(ISDN was never connected so there isn't a local IP on interface ippp0),
but when isdn set the local and remote ip of interface ippp0, retrasmit
packets coming from lan are still masquerade with the old IP.
So I have a request going to Internet with source ip 192.168.0.101.

How can I solve this?

Thank in advance
Gelpi ing. Andrea
Trento (Italy)
---------------------------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."
---------------------------------------------------------------
Re: Iptables and isdn connection [ In reply to ]
kakadu at earthlink
Jul 27, 2001, 4:52 AM
Post #2 of 5 (810 views)
Permalink
Mr. Andrea,

Try this:

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

This is a hack which will re-write socket addresses for (I think) TCP
streams
which were started before a real address became available. However,
there are a few
bugs in either ip_dynaddr or the MASQUERADE target. AFAIK it should work.

Brad

Gelpi Andrea wrote:

> I have a RH 7.1 on a PC I use as gateway to internet for a small lan.
> So I have:
> kernel 2.4.2-2
> iptables 1.2.1a
>
> My lan use ip 192.168.0.x
> Linux PC has IP 192.168.0.101
>
> Using isdn-config i setup isdn card, added a provider. I setup autodial
> also.
> I can connect to my provider and navigate Internet.
>
> Then I added the following roule to netfilter:
>
> iptables -t nat -A POSTROUTING -s 192.168.0/24 -o ippp0 -j MASQUERADE
>
> With this I can navigate Internet from my lan.
>
> My problem is that the first request from my lan.
>
> Using tcpdump and adding some rules with target LOG in netfilter I can see
> the following:
>
> The request transit the nat PREROUTING chain, then the FORWARD chain and
> then the nat POSTROUTING chain. Here the source ip is changed.
>
> Soon after a reboot POSTROUTING chain assign ip 192.168.0.101 as source
> IP(ISDN was never connected so there isn't a local IP on interface ippp0),
> but when isdn set the local and remote ip of interface ippp0, retrasmit
> packets coming from lan are still masquerade with the old IP.
> So I have a request going to Internet with source ip 192.168.0.101.
>
> How can I solve this?
>
> Thank in advance
> Gelpi ing. Andrea
> Trento (Italy)
> ---------------------------------------------------------------
> "It took the computing power of three C-64s to fly to the Moon.
> It takes a 486 to run Windows 95. Something is wrong here."
> ---------------------------------------------------------------
>
>
>
>
Re: Iptables and isdn connection [ In reply to ]
kakadu at earthlink
Jul 28, 2001, 6:21 AM
Post #3 of 5 (811 views)
Permalink
Mr. Andrea,

IIRC, someone reported problems concerning the use of netfilter with
ip_dynaddr. He couldn't get it to work right either. Apparently, when it
is used in conjunction with the MASQUERADE target, something breaks. AFAIK,
a fix went in sometime around 2.4.4. What's your kernel version?

Brad

Gelpi Andrea wrote:

> I check ip_dynaddr but I found it already set.
> There must be something else.
>
> Thank You
>
> Gelpi ing. Andrea
> ---------------------------------------------------------------
> "It took the computing power of three C-64s to fly to the Moon.
> It takes a 486 to run Windows 95. Something is wrong here."
> ---------------------------------------------------------------
>
>
>> -----Original Message-----
>> Mr. Andrea,
>>
>> Try this:
>>
>> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
>>
>> This is a hack which will re-write socket addresses for (I think) TCP
>> streams
>> which were started before a real address became available. However,
>> there are a few
>> bugs in either ip_dynaddr or the MASQUERADE target. AFAIK it should work.
>>
>> Brad
>>
>> Gelpi Andrea wrote:
>>
>>> I have a RH 7.1 on a PC I use as gateway to internet for a small lan.
>>> So I have:
>>> kernel 2.4.2-2
>>> iptables 1.2.1a
>>>
>>> My lan use ip 192.168.0.x
>>> Linux PC has IP 192.168.0.101
>>>
>>> Using isdn-config i setup isdn card, added a provider. I setup autodial
>>> also.
>>> I can connect to my provider and navigate Internet.
>>>
>>> Then I added the following roule to netfilter:
>>>
>>> iptables -t nat -A POSTROUTING -s 192.168.0/24 -o ippp0 -j MASQUERADE
>>>
>>> With this I can navigate Internet from my lan.
>>>
>>> My problem is that the first request from my lan.
>>>
>>> Using tcpdump and adding some rules with target LOG in
>>
>> netfilter I can see
>>
>>> the following:
>>>
>>> The request transit the nat PREROUTING chain, then the FORWARD chain and
>>> then the nat POSTROUTING chain. Here the source ip is changed.
>>>
>>> Soon after a reboot POSTROUTING chain assign ip 192.168.0.101 as source
>>> IP(ISDN was never connected so there isn't a local IP on
>>
>> interface ippp0),
>>
>>> but when isdn set the local and remote ip of interface ippp0, retrasmit
>>> packets coming from lan are still masquerade with the old IP.
>>> So I have a request going to Internet with source ip 192.168.0.101.
>>>
>>> How can I solve this?
>>
RE: Iptables and isdn connection [ In reply to ]
gelpi at corona
Jul 28, 2001, 6:35 AM
Post #4 of 5 (807 views)
Permalink
I check ip_dynaddr but I found it already set.
There must be something else.

Thank You

Gelpi ing. Andrea
---------------------------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."
---------------------------------------------------------------


> -----Original Message-----
> Mr. Andrea,
>
> Try this:
>
> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
>
> This is a hack which will re-write socket addresses for (I think) TCP
> streams
> which were started before a real address became available. However,
> there are a few
> bugs in either ip_dynaddr or the MASQUERADE target. AFAIK it should work.
>
> Brad
>
> Gelpi Andrea wrote:
>
> > I have a RH 7.1 on a PC I use as gateway to internet for a small lan.
> > So I have:
> > kernel 2.4.2-2
> > iptables 1.2.1a
> >
> > My lan use ip 192.168.0.x
> > Linux PC has IP 192.168.0.101
> >
> > Using isdn-config i setup isdn card, added a provider. I setup autodial
> > also.
> > I can connect to my provider and navigate Internet.
> >
> > Then I added the following roule to netfilter:
> >
> > iptables -t nat -A POSTROUTING -s 192.168.0/24 -o ippp0 -j MASQUERADE
> >
> > With this I can navigate Internet from my lan.
> >
> > My problem is that the first request from my lan.
> >
> > Using tcpdump and adding some rules with target LOG in
> netfilter I can see
> > the following:
> >
> > The request transit the nat PREROUTING chain, then the FORWARD chain and
> > then the nat POSTROUTING chain. Here the source ip is changed.
> >
> > Soon after a reboot POSTROUTING chain assign ip 192.168.0.101 as source
> > IP(ISDN was never connected so there isn't a local IP on
> interface ippp0),
> > but when isdn set the local and remote ip of interface ippp0, retrasmit
> > packets coming from lan are still masquerade with the old IP.
> > So I have a request going to Internet with source ip 192.168.0.101.
> >
> > How can I solve this?
RE: Iptables and isdn connection [ In reply to ]
gelpi at corona
Jul 30, 2001, 2:42 AM
Post #5 of 5 (815 views)
Permalink
RH 7.1 comes with kernel 2.4.2-2.
On Red Hat server there is a rpm for kernel 2.4.3.
I'm thinking to try it.

In my system the command

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

is included in /etc/rc3.d/S08isdn

ThankYou
Gelpi ing. Andrea
---------------------------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."
---------------------------------------------------------------


> -----Original Message-----
> From: Brad Chapman [mailto:kakadu@earthlink.net]
> Sent: sabato 28 luglio 2001 15.21
> To: gelpi@corona.it
> Cc: netfilter@lists.samba.org
> Subject: Re: Iptables and isdn connection
>
>
> Mr. Andrea,
>
> IIRC, someone reported problems concerning the use of netfilter with
> ip_dynaddr. He couldn't get it to work right either. Apparently, when it
> is used in conjunction with the MASQUERADE target, something
> breaks. AFAIK,
> a fix went in sometime around 2.4.4. What's your kernel version?
>
> Brad
>
> Gelpi Andrea wrote:
>
> > I check ip_dynaddr but I found it already set.
> > There must be something else.
> >
> > Thank You
> >
> > Gelpi ing. Andrea
> > ---------------------------------------------------------------
> > "It took the computing power of three C-64s to fly to the Moon.
> > It takes a 486 to run Windows 95. Something is wrong here."
> > ---------------------------------------------------------------
> >
> >
> >> -----Original Message-----
> >> Mr. Andrea,
> >>
> >> Try this:
> >>
> >> echo 1 > /proc/sys/net/ipv4/ip_dynaddr
> >>
> >> This is a hack which will re-write socket addresses for (I
> think) TCP
> >> streams
> >> which were started before a real address became available. However,
> >> there are a few
> >> bugs in either ip_dynaddr or the MASQUERADE target. AFAIK it
> should work.
> >>
> >> Brad
> >>
> >> Gelpi Andrea wrote:
> >>
> >>> I have a RH 7.1 on a PC I use as gateway to internet for a small lan.
> >>> So I have:
> >>> kernel 2.4.2-2
> >>> iptables 1.2.1a
> >>>
> >>> My lan use ip 192.168.0.x
> >>> Linux PC has IP 192.168.0.101
> >>>
> >>> Using isdn-config i setup isdn card, added a provider. I
> setup autodial
> >>> also.
> >>> I can connect to my provider and navigate Internet.
> >>>
> >>> Then I added the following roule to netfilter:
> >>>
> >>> iptables -t nat -A POSTROUTING -s 192.168.0/24 -o ippp0 -j MASQUERADE
> >>>
> >>> With this I can navigate Internet from my lan.
> >>>
> >>> My problem is that the first request from my lan.
> >>>
> >>> Using tcpdump and adding some rules with target LOG in
> >>
> >> netfilter I can see
> >>
> >>> the following:
> >>>
> >>> The request transit the nat PREROUTING chain, then the
> FORWARD chain and
> >>> then the nat POSTROUTING chain. Here the source ip is changed.
> >>>
> >>> Soon after a reboot POSTROUTING chain assign ip 192.168.0.101
> as source
> >>> IP(ISDN was never connected so there isn't a local IP on
> >>
> >> interface ippp0),
> >>
> >>> but when isdn set the local and remote ip of interface ippp0,
> retrasmit
> >>> packets coming from lan are still masquerade with the old IP.
> >>> So I have a request going to Internet with source ip 192.168.0.101.
> >>>
> >>> How can I solve this?
> >>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal