RE: Postrouting problem with Sarge firewall
On Mon, Sep 06, 2004 at 08:25:48AM +1000, david kwok wrote:
[SNIP]
This firewall script somehow works intermittantly. When it disconnects
and reconnects to the isp, the postrouting rules do not seem to
translate internal address of the pbx server to the current public ip
address and as a result the packet from the other end cannot come back
to the pbx box.
I have only had a short look on the script, but to me it looks as if your firewall-tables are not reinitialized after reconnect. As it is very likely that you have a different public IP address then, the address in use when the script was first started is not current anymore and therefore the firewall rules translate the pbx-server address to the old public IP.
We have some similar setup here. I set up the rules which are independent of the public IP and saved them using /etc/init.d/iptables to the "active" set. That way they are initialized when the system comes up. In addition I have two scripts in /etc/ppp/ip-up.d resp. /etc/ppp/ip-down.d which setup resp. clean up the additional rules dependent on the public IP address.
Any suggestions as to why it does not follow the rules are most appreciated.
Actually it does, but the rules don't contain the "correct", i.e. current, public IP address.
I rerun the same firewall script while the current ip address is established. But tcpdump still show
the same situation.
ate:~# tcpdump -i ppp0 port 4569
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
13:44:28.573768 IP 192.168.1.10.4569 > adsl-35-158.swiftdsl.com.au.4569: UDP, length: 12
13:44:28.573872 IP 192.168.1.10.4569 > adsl-35-158.swiftdsl.com.au.4569: UDP, length: 12
13:44:28.573908 IP 192.168.1.10.4569 > adsl-37-134.swiftdsl.com.au.4569: UDP, length: 12
It looks as if the ip masquerade is not working at all even after reruning.
Regards
David Kwok
Reply to: