Re: icmp echo packets not masqueraded properly.

[Jihoon Chung <difro@sexycoder.com>]

Thanks for the reply..

On Tue, Mar 18, 2003 at 10:22:44PM -0500, Joel Newkirk wrote:
> >
> > And the Masquerading rule is:
> > `iptables -t filter -A FORWARD -j MASQUERADE`;
> 
> I hope this is a mistype, and you're actually doing this in -t nat -A 
> POSTROUTING?  The MASQUERADE target is only valid in that chain.

Oops. Yes, it is a mistype. I meant -t nat.

> 
> > The problem occurs when I'm pinging from the notebook (host inside the
> > firewall) to any host outside the firewall.
> >
> > When ppp0 dies and the default-route gets changed to eth1 while
> > pinging from the notebook,  the ping session is still masqueraded to
> > ppp0's ip address !! ,  even though the packets are routed through
> > eth1. (I found this by tcpdumping on eth1)
> >
> > If I stop the ping on the notebook and wait 30 seconds and ping again,
> > it behaves fine.
> 
> Is this ALL traffic, or just ICMP? Only if the pinging was already taking 
> place as the route was changed?

Yes, just ICMP and only when the pinging was already taking place.

> 
> There's a 30-second timeout, IIRC, on ICMP in conntrack.  When MASQUERADE 
> detects that a device is no longer available it is supposed to dump all 
> conntrack entries associated with that device.  It appears that it is 
> not doing so, and the entries are simply expiring after timeout.  Is 
> device ppp0 still in the system, just not valid and not routed through?  
> If so, you might try taking it down from your route-changing daemon.

Well, 'ip addr list' shows ppp0 but with no ip address.
I tried taking it down completely (doesn't show in 'ip add list', no
pppd running.), but stil the problem exists.

> > Is there anyway I can make it behave without "stop-wait30sec" ?
> >
> > (by the way , I searched in /proc and tried turning on
> >  /proc/sys/net/ipv4/ip_dynaddr , but nothing changed.)
> 
> That has to be enabled for the MASQUERADE target to work properly anyway.
> 
> j
>