Re: iptables modules kill ppp
Subject: RE: iptables modules kill ppp
Date: Mon, Jul 02, 2001 at 01:47:59PM -0500
In reply to:garman
Quoting garman(garman@students.uiuc.edu):
> >
> >Please define, "PPP won't work".
>
> I meant it won't work as in what I described in my previous email post to the
> list about PPP not working with a kernel upgrade.
>
> To recap: I can use pon to dial my ISP, I connect, and get an IP number
> assigned. /sbin/route shows that everything is setup as expected. However,
> with the iptables modules loaded, I cannot use any network programs. It is
> not possible to do DNS lookups. If I try to ping a host, using it's numerical
> IP addres, *as root*, I get the following error:
>
> "sendto: operation not permitted"
>
> >Can you use the net from the firewall?
> >Does the connection drop, or do you mean that systems behind the
> >firewall can't connect to the net?
>
> The connection does not drop. I meant to stress in my original post that
> these things happen *with no firewall*, or at least, no iptables rules. In
> other words, I flush all the rulesets, and set the default policy to all
> built-in chains to ACCEPT. So there is effectively no real firewall.
So from the above, if you didn't start the firewall in the first
place, the connections to the net are OK. Then if you start the
firewall, your system still being connected, you can no longer ping
your ISP. Then if you bring the firewall down, normally, you still
can't ping the ISP.
Something wrong with the firewall script. I have never seen that
happen here, even with really screwed up rules. I think that your
flushing procedure is in error somehow. to test that try
/sbin/iptables -L -n -v ; /sbin/iptables -L -t nat -n -v ;
/sbin/iptables -L -t mangle -n -v
I think you will find you still have some rules there.
What version of iptables are you running? mine are 1.2.2-1.bunk.
>
> But once I use rmmod to remove all the iptables-related modules, the PPP
> problem goes away.
>
I would suggest that you put your firewall script in /etc/init.d and
set it up like the other scripts in that dir. That way would make it
easier for you to test, the firewall script, and also easier to shut
it down. I suspect that you have a problem in the firewall script;
ie. you may have created a table that is not being flushed on stopping
the firewall.
Here is how my /etc/init.d/firewall ends
echo "Done"
;;
stop)
#
$IPTABLES -F
$IPTABLES -t filter -F INPUT
$IPTABLES -t filter -F OUTPUT
$IPTABLES -t filter -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X no-conns-from-ppp0
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
echo "Firewall is down"
> >If what you mean is the latter, have you enabled forwarding
> >(echo 1 > /proc/sys/net/ipv4/ip_forward)?
> >Did you include the rule to enable masquerading?
> >$IPTABLES -t nat -A POSTROUTING -o ppp0 -s $NETWORK -j MASQUERADE
>
> I'm not trying to use masquerading or NAT in my current setup. Do I still
> need to issue these commands?
>
No if you do not want to masquerade you do not need either of the
above.
> As a sidenote, the reason I was playing with my firewalls and new kernel
> upgrades is as follows: at school, I have a cablemodem which is shared through
> an internal LAN, using my computer as the gateway machine. I had everything
> setup using ipchains and kernel 2.2.18 last semester. When I go back to
> school in the fall, I want to have my iptables-based firewall ready to go. So
> all my firewall rules applied to eth0 and eth1... there were no iptables rules
> for ppp0.
I haven't tried it but there is a ipchains compatiable mode in
iptables. If enabled in the kernel it will allow you to use your old
ipchains rules.
I am also on the netfilter mailing list and have never seen anyone
post a problem like yours. The real experts are there and if you
continue to have problems you might try there. There is also a
debian-firewall list.
see netfilter.samba.org for the netfilter list.
Regards
Wayne
--
Everyone can be taught to sculpt: Michelangelo would have had to be
taught how __not to. So it is with the great programmers.
_______________________________________________________
Reply to: