Hello Phil, PB> > the UDP packet is masqueraded PB> > correctly and triggers the PPP dial-out to my ISP. But PB> > finally, the UDP packet gets dropped out there because no PB> > address rewriting is done for UDP packets
PB> If no address rewriting is done you need to check your ipchains PB> rules. Hm, AFAIK there is only address rewriting for TCP packets with SYN set, or am I wrong here? Address rewriting works perfectly with my configuration for TCP packets with SYN bit set (see below). PB> Can you post them here? Hm, there is nothing very critical about them, so I can do that. I hope nobody minds this lengthly posting. 'localnet' is my local network which host 'gateway' connects to the internet. 'nameserver' is the nameserver of my ISP. '100.100.100.1' is the actual dynamic IP address of the ippp interface (the firewall rules are updated to match the actual dynamic addresses each time the link comes up with an ip-up script). Those chains "Cx" which the build-in chains branch to are for accepting selected TCP and ICMP packets from localnet to gateway, and from the internet to gateway, resp. (Simple packet forwarding using kernel IP masquerading is only done for those UDP connections with 'nameserver'.) --------------------------------- Schnipp! ------------------------------- Chain input (policy DENY: 0 packets, 0 bytes): target prot opt ifname source destination ports C1 all ------ eth0 localnet/24 gateway n/a C7 all ------ ippp0 anywhere 100.100.100.1 n/a ACCEPT udp ----l- eth0 localnet/24 nameserver 1024:65535 -> domain ACCEPT udp ----l- ippp0 nameserver 100.100.100.1 domain -> 1024:65535 DENY all ----l- any anywhere anywhere n/a Chain forward (policy DENY: 0 packets, 0 bytes): target prot opt ifname source destination ports MASQ udp ----l- ippp0 localnet/24 nameserver 1024:65535 -> domain DENY all ----l- any anywhere anywhere n/a Chain output (policy DENY: 0 packets, 0 bytes): target prot opt ifname source destination ports C3 all ------ eth0 gateway localnet/24 n/a C5 all ------ ippp0 100.100.100.1 anywhere n/a ACCEPT udp ----l- ippp0 100.100.100.1 nameserver 1024:65535 -> domain ACCEPT udp ----l- eth0 nameserver localnet/24 domain -> 1024:65535 DENY all ----l- any anywhere anywhere n/a -------------------------------------------------------------------------- Here is some debug output. 181.119.93.94 is the nameserver of my ISP. 10.20.30.* is my local net. This is a dialup triggered by a TCP packet. One can see that address rewriting works: --------------------------------- Schnipp! ------------------------------- Oct 3 14:15:13 gateway kernel: Packet log: output - ippp0 PROTO=6 181.120.8.51:1687 XX.XX.XX.XX:80 L=60 S=0x00 I=8225 F=0x0000 T=64 SYN (#1) Oct 3 14:15:13 gateway kernel: ippp0: dialing 1 0191011... Oct 3 14:15:15 gateway ipppd[169]: Remote message: Oct 3 14:15:15 gateway ipppd[169]: MPPP negotiation, He: No We: No Oct 3 14:15:15 gateway ipppd[169]: local IP address 183.113.37.180 Oct 3 14:15:15 gateway ipppd[169]: remote IP address 183.22.65.43 Oct 3 14:15:16 gateway kernel: tcp_v4_rebuild_header(): shifting sk->saddr from 181.120.8.51 to 183.113.37.180 Oct 3 14:15:22 gateway kernel: Packet log: output - ippp0 PROTO=6 183.113.37.180:1687 XX.XX.XX.XX:80 L=60 S=0x00 I=8227 F=0x0000 T=64 SYN (#1) [...] Oct 3 14:16:37 gateway ipppd[169]: Modem hangup Oct 3 14:16:37 gateway ipppd[169]: Connection terminated. -------------------------------------------------------------------------- Later, a forwarding request from bind from the internal network triggers the next dialout, but no address rewriting takes place. In particular, it seems that the UDP packet has successfully made its way across ippp0, since there is no more log entry (all UDP packets would have been logged in this configuration): --------------------------------- Schnipp! ------------------------------- Oct 3 14:51:46 gateway kernel: Packet log: input ACCEPT eth0 PROTO=17 10.20.30.200:1038 181.119.93.94:53 L=56 S=0x00 I=4922 F=0x0000 T=64 (#4) Oct 3 14:51:46 gateway kernel: Packet log: forward MASQ ippp0 PROTO=17 10.20.30.200:1038 181.119.93.94:53 L=56 S=0x00 I=4922 F=0x0000 T=63 (#2) Oct 3 14:51:46 gateway kernel: Packet log: output ACCEPT ippp0 PROTO=17 183.113.37.180:61033 181.119.93.94:53 L=56 S=0x00 I=4922 F=0x0000 T=63 (#4) Oct 3 14:51:46 gateway kernel: ippp0: dialing 1 0191011... Oct 3 14:51:48 gateway ipppd[169]: Remote message: Oct 3 14:51:48 gateway ipppd[169]: MPPP negotiation, He: No We: No Oct 3 14:51:48 gateway ipppd[169]: local IP address 181.120.8.211 Oct 3 14:51:48 gateway ipppd[169]: remote IP address 183.22.65.41 [nothing happens here until I start the call to 'nslookup' again:] Oct 3 14:52:07 gateway kernel: Packet log: input ACCEPT eth0 PROTO=17 10.20.30.200:1038 181.119.93.94:53 L=56 S=0x00 I=4929 F=0x0000 T=64 (#4) Oct 3 14:52:07 gateway kernel: Packet log: forward MASQ ippp0 PROTO=17 10.20.30.200:1038 181.119.93.94:53 L=56 S=0x00 I=4929 F=0x0000 T=63 (#2) Oct 3 14:52:07 gateway kernel: Packet log: output ACCEPT ippp0 PROTO=17 181.120.8.211:61034 181.119.93.94:53 L=56 S=0x00 I=4929 F=0x0000 T=63 (#4) Oct 3 14:52:07 gateway kernel: Packet log: input ACCEPT ippp0 PROTO=17 181.119.93.94:53 181.120.8.211:61034 L=132 S=0x00 I=14087 F=0x4000 T=252 (#5) Oct 3 14:52:07 gateway kernel: Packet log: output ACCEPT eth0 PROTO=17 181.119.93.94:53 10.20.30.200:1038 L=132 S=0x00 I=14087 F=0x4000 T=251 (#5) -------------------------------------------------------------------------- Greetings, Thomas
