Re: Demand PPP

To: debian-user <debian-user@lists.debian.org>
Subject: Re: Demand PPP
From: Donald Spoon <dspoon@astcomm.net>
Date: Wed, 05 Feb 2003 12:49:42 -0600
Message-id: <[🔎] 3E415CC6.7080508@astcomm.net>
Reply-to: dspoon@astcomm.net
In-reply-to: <[🔎] 20030205175041.GB10893@rkrjrdn.homelinux.net>
References: <[🔎] 20030204164744.GB632@rkrjrdn.homelinux.net> <[🔎] 200302051203.08731.michael.wardle@adacel.com> <[🔎] 20030205114140.GA10893@rkrjrdn.homelinux.net> <[🔎] 20030205175041.GB10893@rkrjrdn.homelinux.net>

David Raeker-Jordan wrote:

I am using iptables and ipmasq; might that be preventing pppd from dialing
out? I got ipmasq working, but I am not very conversant with it.



To answer my own question -- yes, ipmasq was preventing pppd from dialing

out in demand mode. If I turn ipmasq off, then pppd will dial out on demand.

Now I just need to determine what rule in ipmasq is causing the problem.

Has anyone who has seen this before have any advice?

I can't answer your question directly, since I don't have your completeIPMASQ ruleset to look at, and I probably couldn't "read" it anyway (Iam not an IPTABLES/IPCHAINS guru). Maybe this will help you solve yourproblem, though.

One thing to consider when writing rules for Firewalling and IPMASQ isthe fact that the ppp0 (dial out) interface doesn't exist on the systemuntil you actually dial-out and make a connection. It is quitetransient. Most of the rulesets I have seen are based on forwardingbetween interfaces, hence any rule that forwards/masqs to the ppp0interface will fail if the interface doesn't exist! The key here is toestablish the connection then run the rule... in that order. There isno need for IPMASQ (normally) until you make the ppp0 connection, sothere isn't really any need to run the IPMASQ rule until after theinterface comes up.

This is essentially what you have found out.. the only thing missing isto establish the IPMASQ "rule" after the ppp0 interface is establishedYou can do this with a script that re-runs (updates) the existing"rules" located in the /etc/ppp/ip-up.d/ directory. All of the scriptsin this directory are run in cannonical order (whatever that means)after the link comes up. Of course, you can also do this manually fromthe command line...if you want (for testing purposes???).

Most packages I have seen that do FIREWALLING also include thecapability to do IPMASQ. That is the way I have done it here forseveral years. I am currently using the "Firestarter" firewall, and itworks quite nicely on iptables found in the 2.4.XX kernels. I also usedthe "PMFirewall" package on the ipchains found in the 2.2.XX kernels.There are LOTS of these programs available, and each one has itsadvantages and disadvantages. I would advise using one of these typepackages and placing the calling script in /etc/ppp/ip-up.d/ direcory ona ppp dial-out connection. This is the most painless way I have foundto get up & running so-far. If you are "rolling your own" foreducational purposes, then just take the above into account in your design.


HTH,

-Don Spoon-

Reply to:

Follow-Ups:
- Re: Demand PPP
  - From: John Hasler <john@dhh.gt.org>

References:
- Demand PPP
  - From: David Raeker-Jordan <rkrjrdn@epix.net>
- Re: Demand PPP
  - From: Michael Wardle <michael.wardle@adacel.com>
- Re: Demand PPP
  - From: David Raeker-Jordan <rkrjrdn@epix.net>
- Re: Demand PPP
  - From: David Raeker-Jordan <rkrjrdn@epix.net>

Prev by Date: no PPP after Kernel Compile
Next by Date: RE: DVD - driving me crazy...
Previous by thread: Re: Demand PPP
Next by thread: Re: Demand PPP
Index(es):
- Date
- Thread