Strange behaviour in iptables

Wed Jan 14 20:49:51 UTC 2004

Em Qua, 2004-01-14 às 15:47, Alexander Dalloz escreveu:

> > I have a fedora machine acting as NAT router between a small network and
> > a adsl connection. Iptables is managing this. This is working for some
> > time (redhat 8 -> redhat 9 -> fc1) I cannot even remember WHERE in init
> > scripts this is configured.
> > 
> > The booting sequence is:
> > 
> > raises eth0
> > raises ppp0 (it auto-connects, get ip, and so on)
> > web connection (my isp requires we access a web page for authentication
> > - I have a small script that automates this)
> > Dynamic ip.
> > For some days now (I don't know what was the exact update, as I don't
> > rebbot very often - this machine keeps up for weeks), but now, when I
> > reboot, iptables doesn't do NAT anymore. The only way to get it working
> > is doing a 'service iptables restart' and everything works again, which
> > make me sure that iptables' nat config is ok.
> > 
> > Can someone help me with this? This is preety annoying on these times of
> > 2.4 -> 2.6 transition (when I reboot quite often)
> > By the way, this behaviour is with 2.4.22.2140.
> For such things a look into the syslog file /var/log/messages is a good
> start.

Here is what /var/log/messages say during boot:
Jan 14 08:47:31 casa kernel: eth0: RealTek RTL8139 Fast Ethernet at
0xd8428000, 00:40:ca:99:f1:fe, IRQ 10
Jan 14 08:47:31 casa kernel: eth0: link up, 10Mbps, half-duplex, lpa
0x0000
Jan 14 08:47:31 casa kernel: ip_tables: (C) 2000-2002 Netfilter core
team
Jan 14 08:47:31 casa kernel: CSLIP: code copyright 1989 Regents of the
University of California
Jan 14 08:47:31 casa kernel: PPP generic driver version 2.4.2
(...)
Jan 14 08:47:48 casa pppoe[3797]: Timeout waiting for PADO packets
Jan 14 08:47:48 casa pppd[3796]: Exit.
(...)
Jan 14 08:47:50 casa pppd[4214]: pppd 2.4.1 started by root, uid 0
Jan 14 08:47:50 casa pppd[4214]: Using interface ppp0
Jan 14 08:47:50 casa pppd[4214]: Connect: ppp0 <--> /dev/pts/1
Jan 14 08:47:50 casa pppoe[4215]: PPP session is 30307
Jan 14 08:47:50 casa pppd[4214]: local  IP address 200.164.21.238
Jan 14 08:47:50 casa pppd[4214]: remote IP address 200.217.127.41
Jan 14 08:47:50 casa pppd[4214]: primary   DNS address 200.149.55.140
Jan 14 08:47:50 casa pppd[4214]: secondary DNS address 200.165.132.147

Until then, no nat. (it was connected anyway)
Then, iptables restart and
Jan 14 09:10:24 casa iptables:  succeeded
Jan 14 09:10:24 casa last message repeated 2 times
Jan 14 09:10:24 casa kernel: ip_tables: (C) 2000-2002 Netfilter core
team
Jan 14 09:10:24 casa kernel: ip_conntrack version 2.1 (3008 buckets,
24064 max) - 292 bytes per conntrack

> You should first find out where exactly your NAT is set up. I guess it
> is configured in /etc/sysconfig/iptables as a service restart of
> iptables is successful.

Yes, it is.

The relevant part of it is:

*filter
(close everything, opens what I want, etc)
COMMIT
# Completed on Sat Jun 28 18:25:27 2003
# Generated by iptables-save v1.2.7a on Sat Jun 28 18:25:27 2003
*nat
:PREROUTING ACCEPT [2305:120747]
:POSTROUTING ACCEPT [172:10464]
:OUTPUT ACCEPT [180:10962]
-A PREROUTING -d 192.168.0.1 -j DNAT --to-destination 200.223.0.83
-A PREROUTING -d 192.168.0.1 -j DNAT --to-destination 200.223.0.83
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Sat Jun 28 18:25:27 2003

This first commit may be the culprit. But this does not explain why it
worked until now, and why it works after restarted and does not before.

> Do you see iptables service start failing on bootup? You need to boot
> with details at least or better without rhgb.

Yes, it loads ok.

> Maybe the needed iptables kernel modules are not loaded ok at boot time.
> All just guesses as there is no self investigation information in your
> mail.

The weird is, no changes were made on this - as you can see, since june
28 2003... I'm still confused.

-- 
[]s

Alexandre Ganso 
500 FOUR vermelha - Diretor Steel Goose Moto Group