Thanks for the reply.. On Tue, Mar 18, 2003 at 10:22:44PM -0500, Joel Newkirk wrote: > > > > And the Masquerading rule is: > > `iptables -t filter -A FORWARD -j MASQUERADE`; > > I hope this is a mistype, and you're actually doing this in -t nat -A > POSTROUTING? The MASQUERADE target is only valid in that chain. Oops. Yes, it is a mistype. I meant -t nat. > > > The problem occurs when I'm pinging from the notebook (host inside the > > firewall) to any host outside the firewall. > > > > When ppp0 dies and the default-route gets changed to eth1 while > > pinging from the notebook, the ping session is still masqueraded to > > ppp0's ip address !! , even though the packets are routed through > > eth1. (I found this by tcpdumping on eth1) > > > > If I stop the ping on the notebook and wait 30 seconds and ping again, > > it behaves fine. > > Is this ALL traffic, or just ICMP? Only if the pinging was already taking > place as the route was changed? Yes, just ICMP and only when the pinging was already taking place. > > There's a 30-second timeout, IIRC, on ICMP in conntrack. When MASQUERADE > detects that a device is no longer available it is supposed to dump all > conntrack entries associated with that device. It appears that it is > not doing so, and the entries are simply expiring after timeout. Is > device ppp0 still in the system, just not valid and not routed through? > If so, you might try taking it down from your route-changing daemon. Well, 'ip addr list' shows ppp0 but with no ip address. I tried taking it down completely (doesn't show in 'ip add list', no pppd running.), but stil the problem exists. > > Is there anyway I can make it behave without "stop-wait30sec" ? > > > > (by the way , I searched in /proc and tried turning on > > /proc/sys/net/ipv4/ip_dynaddr , but nothing changed.) > > That has to be enabled for the MASQUERADE target to work properly anyway. > > j >
