Re: ipmasq (iptables), pppd and changing ip address

To: debian-firewall@lists.debian.org
Subject: Re: ipmasq (iptables), pppd and changing ip address
From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Date: Mon, 13 Mar 2006 23:42:13 +0100
Message-id: <[🔎] 4415F545.6030301@plouf.fr.eu.org>
In-reply-to: <[🔎] dv4o1r$k73$03$1@news.t-online.com>
References: <[🔎] dv4o1r$k73$03$1@news.t-online.com>

Ola,

Vincent Smeets a écrit :

The first TCP connection that is triggering pppd to dail (on demand) isalways getting an error (timeout). Following TCP connections are OK.

[...]

I have an ISDN card with CAPI and pppd configured (ppp0) to dail ondemand. I am getting an IP address asigned for my ppp0 interface by theprovider. This IP address is changing every time I am dailing.

[...]

I think that I understand the problem. In the case that pppd has hung upthe phone, then the routing table, the iptables and the ppp0 interfaceall have the old ip address. when I now want to make a newTCP-connection, the first packet passes the routing table and theiptables and gets masqueraded for the old ip address. Now pppd getstriggered and dials the provider to send the packet. It gets a newconnection to the provider and sends the packet (all OK). In the meanwhile, pppd has got an new ip address an updates the routing table andthe iptables for this address.


That seems correct AFAIK.

Now a response is comming back for mypacket but with a destination address of my old ip address. This ipaddress is now blocked by the iptables. This results in a timeout forthis TCP-connection.

A response packet would match the entry in the conntrack-NAT tablecreated by the outgoing packet an would be seen as ESTABLISHED, so Idon't think iptables would drop it. But actually you won't even receiveany response packet : your ISP won't route it on your line because thedestination address is not yours. Your ISP may even have dropped yourourgoing packet because its source address is not the one that has beenassigned to your line, as a protection against spoofing.

All the following TCP-connections go through without problems becauseall the tables are set up correctly.
Does anybody have the same problem or has found a solution to it?


Here is what the pppd manpage states :

"When the demand option is used, the interface IP addresses have alreadybeen set at the point when IPCP comes up. If pppd has not been able tonegotiate the same addresses that it used to configure the interface(for example when the peer is an ISP that uses dynamic IP addressassignment), pppd has to change the interface IP addresses to the nego-tiated addresses. This may disrupt existing connections, and the useof demand dialling with peers that do dynamic IP address assignment isnot recommended."

In short : the dial-on-demand option won't work properly with a dynamicIP address. I'm afraid the problem is inherent to the kernel networkingstructure itself. A workaround could be to send another type of packetbefore the TCP SYN, such as an ICMP ping or a UDP DNS request, if possible.

Reply to:

References:
- ipmasq (iptables), pppd and changing ip address
  - From: Vincent Smeets <V.Smeets@T-Online.de>

Prev by Date: ipmasq (iptables), pppd and changing ip address
Next by Date: Re: Re: Firewall - DROP or DENY
Previous by thread: ipmasq (iptables), pppd and changing ip address
Next by thread: Re: Re: Firewall - DROP or DENY
Index(es):
- Date
- Thread