Help: iptables NAT broken with pppoe

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I am new to this list, so please xcuse me if this is a dumb question.

I have a small home network looking as follows:

        192.168.42.3
        -----------     -------
       | PMac G4   |   |       |---DSL Modem (ppp0)
ISDN---|ippp0  eth0|---|Switch |---two computers, printer (192.168.42.x)
        -----------     -------

The machine marked as "PMac G4" is a Powermac G4/800 "Silver", running Linux 2.6.11.4 on the Yellowdog 4.01 disto, which includes iptables v1.2.9.

I had an "old" setup with the G4 working as router via the isdn adaptor, which worked flawlessly. I now switched to ADSL, so I removed the ISDN connection and just changed to ppp0 using the kernel-based pppoe driver.

Now the machines in my "local" net can still connect the G4, but nat/masquerading to the outside world fails. I stripped down my ipfilter config to a completely open one (see attached fw.sh script), but still had no success.

Running tcpdump on both eth0 and ppp0, I saw that e.g. a http request from one of the local machines (see 2nd attachment) is actually passed via ppp0 to the remote host. However, all reply packets from that box are never passed back to eth0, so this looks to me as if masquerading somehow fails.

Does anyone know what I missed here? The same iptables setup (actually a lot stricter, i.e. a "real" firewall) worked fine with isdn/ippp0. I also verified that it is at least technically working; running the G4 under MacOS 10.3.9 client, with a little ipfw and natd fiddling the machine is doing nat as expected. However, as I usually use Linux, a running nat setup with iptables is really important for me.

HELP - I am really lost here, so any help/pointer would be really welcome!

Thanks in advance, Albrecht.


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Albrecht Dreß  -  Johanna-Kirchner-Straße 13  -  D-53123 Bonn (Germany)
       Phone (+49) 228 6199571  -  mailto:albrecht.dress@xxxxxxxx
   GnuPG public key:  http://home.arcor.de/dralbrecht.dress/pubkey.asc
_________________________________________________________________________

Attachment: fw.sh
Description: application/shellscript

[root@antares root]# tcpdump -nn -i eth0 tcp port 80
18:16:21.012143 IP 192.168.42.4.49223 > 213.95.27.115.80: S 2685214081:2685214081(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 2148180757 0>
18:16:23.779283 IP 192.168.42.4.49223 > 213.95.27.115.80: S 2685214081:2685214081(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 2148180762 0>
18:16:26.626863 IP 192.168.42.4.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 2148180768 0>
18:16:29.278717 IP 192.168.42.4.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 2148180773 0>
18:16:32.278383 IP 192.168.42.4.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 2148180779 0>
18:16:35.278053 IP 192.168.42.4.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1460>
18:16:38.277733 IP 192.168.42.4.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1460>
18:16:41.277416 IP 192.168.42.4.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1460>
18:16:47.276686 IP 192.168.42.4.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1460>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[root@antares root]# tcpdump -nn -i ppp0 tcp port 80 2> tcpdump.ppp0
18:16:21.012206 IP 84.44.131.113.49223 > 213.95.27.115.80: S 2685214081:2685214081(0) win 65535 <mss 1452,nop,wscale 0,nop,nop,timestamp 2148180757 0>
18:16:21.085651 IP 213.95.27.115.80 > 84.44.131.113.49223: S 2677460604:2677460604(0) ack 2685214082 win 5792 <mss 1460,nop,nop,timestamp 1472713132 2148180757,nop,wscale 2>
18:16:21.085748 IP 84.44.131.113.49223 > 213.95.27.115.80: R 2685214082:2685214082(0) win 0
18:16:23.779332 IP 84.44.131.113.49223 > 213.95.27.115.80: S 2685214081:2685214081(0) win 65535 <mss 1452,nop,wscale 0,nop,nop,timestamp 2148180762 0>
18:16:23.841268 IP 213.95.27.115.80 > 84.44.131.113.49223: S 2680216981:2680216981(0) ack 2685214082 win 5792 <mss 1460,nop,nop,timestamp 1472715888 2148180762,nop,wscale 2>
18:16:23.841326 IP 84.44.131.113.49223 > 213.95.27.115.80: R 2685214082:2685214082(0) win 0
18:16:26.626918 IP 84.44.131.113.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1452,nop,wscale 0,nop,nop,timestamp 2148180768 0>
18:16:26.689960 IP 213.95.27.115.80 > 84.44.131.113.49224: S 2688743097:2688743097(0) ack 2390183935 win 5792 <mss 1460,nop,nop,timestamp 1472718737 2148180768,nop,wscale 2>
18:16:26.690000 IP 84.44.131.113.49224 > 213.95.27.115.80: R 2390183935:2390183935(0) win 0
18:16:29.278746 IP 84.44.131.113.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1452,nop,wscale 0,nop,nop,timestamp 2148180773 0>
18:16:29.343266 IP 213.95.27.115.80 > 84.44.131.113.49224: S 2691397130:2691397130(0) ack 2390183935 win 5792 <mss 1460,nop,nop,timestamp 1472721391 2148180773,nop,wscale 2>
18:16:29.343295 IP 84.44.131.113.49224 > 213.95.27.115.80: R 2390183935:2390183935(0) win 0
18:16:32.278425 IP 84.44.131.113.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1452,nop,wscale 0,nop,nop,timestamp 2148180779 0>
18:16:32.341042 IP 213.95.27.115.80 > 84.44.131.113.49224: S 2694396243:2694396243(0) ack 2390183935 win 5792 <mss 1460,nop,nop,timestamp 1472724390 2148180779,nop,wscale 2>
18:16:32.341114 IP 84.44.131.113.49224 > 213.95.27.115.80: R 2390183935:2390183935(0) win 0
18:16:35.278094 IP 84.44.131.113.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1452>
18:16:35.339906 IP 213.95.27.115.80 > 84.44.131.113.49224: S 2697395925:2697395925(0) ack 2390183935 win 5840 <mss 1460>
18:16:35.339928 IP 84.44.131.113.49224 > 213.95.27.115.80: R 2390183935:2390183935(0) win 0
18:16:38.277765 IP 84.44.131.113.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1452>
18:16:38.334399 IP 213.95.27.115.80 > 84.44.131.113.49224: S 2700391695:2700391695(0) ack 2390183935 win 5840 <mss 1460>
18:16:38.334470 IP 84.44.131.113.49224 > 213.95.27.115.80: R 2390183935:2390183935(0) win 0
18:16:41.277463 IP 84.44.131.113.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1452>
18:16:41.334072 IP 213.95.27.115.80 > 84.44.131.113.49224: S 2703391278:2703391278(0) ack 2390183935 win 5840 <mss 1460>
18:16:41.334119 IP 84.44.131.113.49224 > 213.95.27.115.80: R 2390183935:2390183935(0) win 0
18:16:47.276735 IP 84.44.131.113.49224 > 213.95.27.115.80: S 2390183934:2390183934(0) win 65535 <mss 1452>
18:16:47.333126 IP 213.95.27.115.80 > 84.44.131.113.49224: S 2709392375:2709392375(0) ack 2390183935 win 5840 <mss 1460>
18:16:47.333171 IP 84.44.131.113.49224 > 213.95.27.115.80: R 2390183935:2390183935(0) win 0

Attachment: pgptnG7bylYnR.pgp
Description: PGP signature

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux