Can't share ppp internet connection

Can't share ppp internet connection

[Vinicius Massuchetto]

I had this configuration before, and it used to work well, but now I
got a new server and I can't setup it to share the internet connection
from ppp0.

The client connects directly on eth0 through a dhcp server, and it can
get an IP just fine. The problem seems only to appear when I set this
rule:
`iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE`

Just after that, the client won't be able to receive an IP from the
server anymore. Here's the configuration files:

The /etc/dhcp/dhcpd.conf file:
---
ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 192.168.0.0 netmask 255.255.255.0 {
    option routers 192.168.0.1;
    option domain-name "onix";
    range 192.168.0.2 192.168.0.10;
    option domain-name-servers 201.10.120.2, 201.10.128.2;
    option broadcast-address 192.168.0.1;
    option ip-forwarding on;
}
---

The connection script:
---
#!/bin/bash

/sbin/ifconfig eth0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.1
/etc/init.d/isc-dhcp-server stop
/etc/init.d/isc-dhcp-server start

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -o eth0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT

echo 1 > /proc/sys/net/ipv4/ip_forward
---

After the problem appears I ran tcpdump on both eth interfaces of
client and server while the client send DHCPDISCOVER:

Client tcpdump:
---
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:32:10.848029 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:16.000175 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:30.004579 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:37.005508 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:49.007886 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:56.000168 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
---

Server tcpdump:
---
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:32:10.533386 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:10.536878 ARP, Request who-has 192.168.0.2 tell onix.local, length 28
17:32:10.634525 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 255.255.255.255.in-addr.arpa. (46)
17:32:10.634596 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
255.255.255.255.in-addr.arpa. (46)
17:32:11.000641 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
Reply, length 300
17:32:11.535919 ARP, Request who-has 192.168.0.2 tell onix.local, length 28
17:32:11.635959 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 255.255.255.255.in-addr.arpa. (46)
17:32:11.636049 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
255.255.255.255.in-addr.arpa. (46)
17:32:12.535882 ARP, Request who-has 192.168.0.2 tell onix.local, length 28
17:32:13.638404 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 255.255.255.255.in-addr.arpa. (46)
17:32:13.638488 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
255.255.255.255.in-addr.arpa. (46)
17:32:15.636359 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 0.0.0.0.in-addr.arpa. (38)
17:32:15.636444 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
0.0.0.0.in-addr.arpa. (38)
17:32:15.685847 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:15.686038 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
Reply, length 300
17:32:16.637294 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 0.0.0.0.in-addr.arpa. (38)
17:32:16.637362 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
0.0.0.0.in-addr.arpa. (38)
17:32:18.638762 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 0.0.0.0.in-addr.arpa. (38)
17:32:18.638856 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
0.0.0.0.in-addr.arpa. (38)
17:32:20.639711 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 2.0.168.192.in-addr.arpa. (42)
17:32:20.639797 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
2.0.168.192.in-addr.arpa. (42)
17:32:21.641098 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 2.0.168.192.in-addr.arpa. (42)
17:32:21.641193 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
2.0.168.192.in-addr.arpa. (42)
17:32:23.642208 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 2.0.168.192.in-addr.arpa. (42)
17:32:23.642301 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
2.0.168.192.in-addr.arpa. (42)
17:32:25.642116 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 1.0.168.192.in-addr.arpa. (42)
17:32:25.642198 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
1.0.168.192.in-addr.arpa. (42)
17:32:25.642272 IP onix.local.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0
(Cache flush) PTR onix.local. (60)
17:32:25.743060 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
17:32:25.743136 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
251.0.0.224.in-addr.arpa. (42)
17:32:26.743316 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
17:32:26.743409 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
251.0.0.224.in-addr.arpa. (42)
17:32:28.744853 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
17:32:28.744955 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
251.0.0.224.in-addr.arpa. (42)
17:32:36.692468 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:36.692678 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
Reply, length 300
17:32:48.695611 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:48.695863 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
Reply, length 300
17:32:55.688296 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
17:32:55.688546 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
Reply, length 300
^C
40 packets captured
42 packets received by filter
2 packets dropped by kernel
---

Please let me knot about any other info that I can provide.
Thanks.
-- 
Vinicius Massuchetto

Re: Can't share ppp internet connection

[Vinicius Massuchetto]

2011/8/20 Vinicius Massuchetto <viniciusmassuchetto@gmail.com>:
> I had this configuration before, and it used to work well, but now I
> got a new server and I can't setup it to share the internet connection
> from ppp0.
>
> The client connects directly on eth0 through a dhcp server, and it can
> get an IP just fine. The problem seems only to appear when I set this
> rule:
> `iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE`
>
> Just after that, the client won't be able to receive an IP from the
> server anymore. Here's the configuration files:
>
> The /etc/dhcp/dhcpd.conf file:
> ---
> ddns-update-style none;
> default-lease-time 600;
> max-lease-time 7200;
> log-facility local7;
> subnet 192.168.0.0 netmask 255.255.255.0 {
>    option routers 192.168.0.1;
>    option domain-name "onix";
>    range 192.168.0.2 192.168.0.10;
>    option domain-name-servers 201.10.120.2, 201.10.128.2;
>    option broadcast-address 192.168.0.1;
>    option ip-forwarding on;
> }
> ---
>
> The connection script:
> ---
> #!/bin/bash
>
> /sbin/ifconfig eth0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.1
> /etc/init.d/isc-dhcp-server stop
> /etc/init.d/isc-dhcp-server start
>
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ---
>
> After the problem appears I ran tcpdump on both eth interfaces of
> client and server while the client send DHCPDISCOVER:
>
> Client tcpdump:
> ---
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 17:32:10.848029 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:16.000175 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:30.004579 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:37.005508 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:49.007886 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:56.000168 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> ^C
> 6 packets captured
> 6 packets received by filter
> 0 packets dropped by kernel
> ---
>
> Server tcpdump:
> ---
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 17:32:10.533386 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:10.536878 ARP, Request who-has 192.168.0.2 tell onix.local, length 28
> 17:32:10.634525 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 255.255.255.255.in-addr.arpa. (46)
> 17:32:10.634596 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 255.255.255.255.in-addr.arpa. (46)
> 17:32:11.000641 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> 17:32:11.535919 ARP, Request who-has 192.168.0.2 tell onix.local, length 28
> 17:32:11.635959 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 255.255.255.255.in-addr.arpa. (46)
> 17:32:11.636049 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 255.255.255.255.in-addr.arpa. (46)
> 17:32:12.535882 ARP, Request who-has 192.168.0.2 tell onix.local, length 28
> 17:32:13.638404 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 255.255.255.255.in-addr.arpa. (46)
> 17:32:13.638488 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 255.255.255.255.in-addr.arpa. (46)
> 17:32:15.636359 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 0.0.0.0.in-addr.arpa. (38)
> 17:32:15.636444 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 0.0.0.0.in-addr.arpa. (38)
> 17:32:15.685847 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:15.686038 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> 17:32:16.637294 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 0.0.0.0.in-addr.arpa. (38)
> 17:32:16.637362 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 0.0.0.0.in-addr.arpa. (38)
> 17:32:18.638762 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 0.0.0.0.in-addr.arpa. (38)
> 17:32:18.638856 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 0.0.0.0.in-addr.arpa. (38)
> 17:32:20.639711 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 2.0.168.192.in-addr.arpa. (42)
> 17:32:20.639797 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 2.0.168.192.in-addr.arpa. (42)
> 17:32:21.641098 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 2.0.168.192.in-addr.arpa. (42)
> 17:32:21.641193 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 2.0.168.192.in-addr.arpa. (42)
> 17:32:23.642208 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 2.0.168.192.in-addr.arpa. (42)
> 17:32:23.642301 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 2.0.168.192.in-addr.arpa. (42)
> 17:32:25.642116 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 1.0.168.192.in-addr.arpa. (42)
> 17:32:25.642198 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 1.0.168.192.in-addr.arpa. (42)
> 17:32:25.642272 IP onix.local.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0
> (Cache flush) PTR onix.local. (60)
> 17:32:25.743060 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
> 17:32:25.743136 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 251.0.0.224.in-addr.arpa. (42)
> 17:32:26.743316 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
> 17:32:26.743409 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 251.0.0.224.in-addr.arpa. (42)
> 17:32:28.744853 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
> 17:32:28.744955 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 251.0.0.224.in-addr.arpa. (42)
> 17:32:36.692468 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:36.692678 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> 17:32:48.695611 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:48.695863 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> 17:32:55.688296 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:55.688546 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> ^C
> 40 packets captured
> 42 packets received by filter
> 2 packets dropped by kernel
> ---

Client's syslog:

Aug 21 04:52:13 amendoa dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
Aug 21 04:52:20 amendoa dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
Aug 21 04:52:41 amendoa dhclient: DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 3
Aug 21 04:52:44 amendoa dhclient: DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 7
Aug 21 04:52:51 amendoa dhclient: DHCPDISCOVER on eth0 to
255.255.255.255 port 67 interval 13

Server's syslog:

Aug 21 04:52:13 onix dhcpd: DHCPREQUEST for 192.168.0.2 from
00:16:36:96:2b:15 (amendoa) via eth0
Aug 21 04:52:13 onix dhcpd: DHCPACK on 192.168.0.2 to
00:16:36:96:2b:15 (amendoa) via eth0
Aug 21 04:52:20 onix dhcpd: DHCPREQUEST for 192.168.0.2 from
00:16:36:96:2b:15 (amendoa) via eth0
Aug 21 04:52:20 onix dhcpd: DHCPACK on 192.168.0.2 to
00:16:36:96:2b:15 (amendoa) via eth0
Aug 21 04:52:41 onix dhcpd: DHCPDISCOVER from 00:16:36:96:2b:15
(amendoa) via eth0
Aug 21 04:52:41 onix dhcpd: DHCPOFFER on 192.168.0.2 to
00:16:36:96:2b:15 (amendoa) via eth0
Aug 21 04:52:44 onix dhcpd: DHCPDISCOVER from 00:16:36:96:2b:15
(amendoa) via eth0
Aug 21 04:52:44 onix dhcpd: DHCPOFFER on 192.168.0.2 to
00:16:36:96:2b:15 (amendoa) via eth0
Aug 21 04:52:51 onix dhcpd: DHCPDISCOVER from 00:16:36:96:2b:15
(amendoa) via eth0
Aug 21 04:52:51 onix dhcpd: DHCPOFFER on 192.168.0.2 to
00:16:36:96:2b:15 (amendoa) via eth0

Thanks.
-- 
Vinicius Massuchetto

Re: Can't share ppp internet connection

[Jan Engelhardt]

On Sunday 2011-08-21 10:51, Vinicius Massuchetto wrote:
>2011/8/20 Vinicius Massuchetto <viniciusmassuchetto@gmail.com>:
>> I had this configuration before, and it used to work well, but now I
>> got a new server and I can't setup it to share the internet connection
>> from ppp0.
>>
>> The client connects directly on eth0 through a dhcp server, and it can
>> get an IP just fine. The problem seems only to appear when I set this
>> rule:
>> `iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE`
>>
>> Just after that, the client won't be able to receive an IP from the
>> server anymore. Here's the configuration files:
>
>Aug 21 04:52:13 onix dhcpd: DHCPREQUEST for 192.168.0.2 from
>00:16:36:96:2b:15 (amendoa) via eth0
>Aug 21 04:52:13 onix dhcpd: DHCPACK on 192.168.0.2 to
>00:16:36:96:2b:15 (amendoa) via eth0

Random thoughts
- rp_filter interfering
- having 192.168.0.0/24 on ppp0, colliding with eth0

Re: Can't share ppp internet connection

[Vinicius Massuchetto]

2011/8/21 Jan Engelhardt <jengelh@medozas.de>:
>
> On Sunday 2011-08-21 10:51, Vinicius Massuchetto wrote:
>>2011/8/20 Vinicius Massuchetto <viniciusmassuchetto@gmail.com>:
>>> I had this configuration before, and it used to work well, but now I
>>> got a new server and I can't setup it to share the internet connection
>>> from ppp0.
>>>
>>> The client connects directly on eth0 through a dhcp server, and it can
>>> get an IP just fine. The problem seems only to appear when I set this
>>> rule:
>>> `iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE`
>>>
>>> Just after that, the client won't be able to receive an IP from the
>>> server anymore. Here's the configuration files:
>>
>>Aug 21 04:52:13 onix dhcpd: DHCPREQUEST for 192.168.0.2 from
>>00:16:36:96:2b:15 (amendoa) via eth0
>>Aug 21 04:52:13 onix dhcpd: DHCPACK on 192.168.0.2 to
>>00:16:36:96:2b:15 (amendoa) via eth0
>
> Random thoughts
> - rp_filter interfering

Running `sysctl -w net.ipv4.conf.eth0.rp_filter=0` seems not to change anything.

> - having 192.168.0.0/24 on ppp0, colliding with eth0

Not sure if this is enough, but the ppp0 is not on the 192.168.*.* range.
$ ifconfig ppp0
          Link encap:Protocolo Ponto-a-Ponto
          inet end.: 187.53.115.31  P-a-P:10.64.64.64  Masc:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Métrica:1
          RX packets:62495 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39460 errors:0 dropped:0 overruns:0 carrier:0
          colisões:0 txqueuelen:3
          RX bytes:86031897 (82.0 MiB)  TX bytes:3378602 (3.2 MiB)

Thanks for helping.
-- 
Vinicius Massuchetto

Re: Can't share ppp internet connection

[Pandu Poluan]

Just a hunch; do this:

iptables -t nat -I POSTROUTING -p udp --dport $DHCP_SRV_PORT -j ACCEPT

(sorry, for some unknown reason, I can't open any web site;
$DHCP_SRV_PORT should be 67 or 68, I forgot which)

In effect, the above rule causes DHCP packets going to the DHCP server
to bypass the MASQUERADE target.

Rgds,


Rgds,


On 2011-08-21, Vinicius Massuchetto <viniciusmassuchetto@gmail.com> wrote:
> I had this configuration before, and it used to work well, but now I
> got a new server and I can't setup it to share the internet connection
> from ppp0.
>
> The client connects directly on eth0 through a dhcp server, and it can
> get an IP just fine. The problem seems only to appear when I set this
> rule:
> `iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE`
>
> Just after that, the client won't be able to receive an IP from the
> server anymore. Here's the configuration files:
>
> The /etc/dhcp/dhcpd.conf file:
> ---
> ddns-update-style none;
> default-lease-time 600;
> max-lease-time 7200;
> log-facility local7;
> subnet 192.168.0.0 netmask 255.255.255.0 {
>     option routers 192.168.0.1;
>     option domain-name "onix";
>     range 192.168.0.2 192.168.0.10;
>     option domain-name-servers 201.10.120.2, 201.10.128.2;
>     option broadcast-address 192.168.0.1;
>     option ip-forwarding on;
> }
> ---
>
> The connection script:
> ---
> #!/bin/bash
>
> /sbin/ifconfig eth0 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.1
> /etc/init.d/isc-dhcp-server stop
> /etc/init.d/isc-dhcp-server start
>
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i ppp0 -o eth0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> ---
>
> After the problem appears I ran tcpdump on both eth interfaces of
> client and server while the client send DHCPDISCOVER:
>
> Client tcpdump:
> ---
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 17:32:10.848029 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:16.000175 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:30.004579 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:37.005508 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:49.007886 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:56.000168 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> ^C
> 6 packets captured
> 6 packets received by filter
> 0 packets dropped by kernel
> ---
>
> Server tcpdump:
> ---
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 17:32:10.533386 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:10.536878 ARP, Request who-has 192.168.0.2 tell onix.local, length 28
> 17:32:10.634525 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 255.255.255.255.in-addr.arpa. (46)
> 17:32:10.634596 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 255.255.255.255.in-addr.arpa. (46)
> 17:32:11.000641 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> 17:32:11.535919 ARP, Request who-has 192.168.0.2 tell onix.local, length 28
> 17:32:11.635959 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 255.255.255.255.in-addr.arpa. (46)
> 17:32:11.636049 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 255.255.255.255.in-addr.arpa. (46)
> 17:32:12.535882 ARP, Request who-has 192.168.0.2 tell onix.local, length 28
> 17:32:13.638404 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 255.255.255.255.in-addr.arpa. (46)
> 17:32:13.638488 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 255.255.255.255.in-addr.arpa. (46)
> 17:32:15.636359 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 0.0.0.0.in-addr.arpa. (38)
> 17:32:15.636444 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 0.0.0.0.in-addr.arpa. (38)
> 17:32:15.685847 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:15.686038 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> 17:32:16.637294 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 0.0.0.0.in-addr.arpa. (38)
> 17:32:16.637362 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 0.0.0.0.in-addr.arpa. (38)
> 17:32:18.638762 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 0.0.0.0.in-addr.arpa. (38)
> 17:32:18.638856 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 0.0.0.0.in-addr.arpa. (38)
> 17:32:20.639711 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 2.0.168.192.in-addr.arpa. (42)
> 17:32:20.639797 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 2.0.168.192.in-addr.arpa. (42)
> 17:32:21.641098 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 2.0.168.192.in-addr.arpa. (42)
> 17:32:21.641193 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 2.0.168.192.in-addr.arpa. (42)
> 17:32:23.642208 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 2.0.168.192.in-addr.arpa. (42)
> 17:32:23.642301 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 2.0.168.192.in-addr.arpa. (42)
> 17:32:25.642116 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 1.0.168.192.in-addr.arpa. (42)
> 17:32:25.642198 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 1.0.168.192.in-addr.arpa. (42)
> 17:32:25.642272 IP onix.local.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/0
> (Cache flush) PTR onix.local. (60)
> 17:32:25.743060 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
> 17:32:25.743136 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 251.0.0.224.in-addr.arpa. (42)
> 17:32:26.743316 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
> 17:32:26.743409 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 251.0.0.224.in-addr.arpa. (42)
> 17:32:28.744853 IP6 fe80::f24d:a2ff:fed9:35c.mdns > ff02::fb.mdns: 0
> PTR (QM)? 251.0.0.224.in-addr.arpa. (42)
> 17:32:28.744955 IP onix.local.mdns > 224.0.0.251.mdns: 0 PTR (QM)?
> 251.0.0.224.in-addr.arpa. (42)
> 17:32:36.692468 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:36.692678 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> 17:32:48.695611 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:48.695863 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> 17:32:55.688296 IP 0.0.0.0.bootpc > 255.255.255.255.bootps:
> BOOTP/DHCP, Request from 00:16:36:96:2b:15 (oui Unknown), length 300
> 17:32:55.688546 IP onix.local.bootps > 192.168.0.2.bootpc: BOOTP/DHCP,
> Reply, length 300
> ^C
> 40 packets captured
> 42 packets received by filter
> 2 packets dropped by kernel
> ---
>
> Please let me knot about any other info that I can provide.
> Thanks.
> --
> Vinicius Massuchetto
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

Re: Can't share ppp internet connection

[Vinicius Massuchetto]

2011/8/21 Pandu Poluan <pandu@poluan.info>:
> Just a hunch; do this:
>
> iptables -t nat -I POSTROUTING -p udp --dport $DHCP_SRV_PORT -j ACCEPT
>
> (sorry, for some unknown reason, I can't open any web site;
> $DHCP_SRV_PORT should be 67 or 68, I forgot which)

According to the logs, the requests come in port 67.

> In effect, the above rule causes DHCP packets going to the DHCP server
> to bypass the MASQUERADE target.

Running this after the script has no effect in this behavior.
iptables -t nat -I POSTROUTING -p udp --dport 67 -j ACCEPT

Thanks for the tip.
-- 
Vinicius Massuchetto

Re: Can't share ppp internet connection

[Pandu Poluan]

(sorry for top posting; Gmail mobile java client sucks)

No, it should be port 68 (got my web access, I can now verify the number).

We want all packets *outgoing* of the box *destined* for port 68 (DHCP
server's listening port) to bypass NAT.

Rgds,


On 2011-08-21, Vinicius Massuchetto <viniciusmassuchetto@gmail.com> wrote:
> 2011/8/21 Pandu Poluan <pandu@poluan.info>:
>> Just a hunch; do this:
>>
>> iptables -t nat -I POSTROUTING -p udp --dport $DHCP_SRV_PORT -j ACCEPT
>>
>> (sorry, for some unknown reason, I can't open any web site;
>> $DHCP_SRV_PORT should be 67 or 68, I forgot which)
>
> According to the logs, the requests come in port 67.
>
>> In effect, the above rule causes DHCP packets going to the DHCP server
>> to bypass the MASQUERADE target.
>
> Running this after the script has no effect in this behavior.
> iptables -t nat -I POSTROUTING -p udp --dport 67 -j ACCEPT
>
> Thanks for the tip.
> --
> Vinicius Massuchetto
>


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

Re: Can't share ppp internet connection

[fuzzy_4711]

-------- Original - Text --------

> subnet 192.168.0.0 netmask 255.255.255.0 {
>>    option routers 192.168.0.1;
>>    option domain-name "onix";
>>    range 192.168.0.2 192.168.0.10;
>>    option domain-name-servers 201.10.120.2, 201.10.128.2;
>>    option broadcast-address 192.168.0.1;
>>    option ip-forwarding on;
>> }

You are using IP 192.168.0.1 for 2 purposes:
a) router
b) broadcast

-fuz

Re: Can't share ppp internet connection

[fuzzy_4711]

> No, it should be port 68 (got my web access, I can now verify the number).

2 ports:

@68 the client is receiving pakets,
@67 the server is listening

-fuz

Re: Can't share ppp internet connection

[Vinicius Massuchetto]

2011/8/21 fuzzy_4711 <fuzzy_4711@gmx.de>:
>
>
> -------- Original - Text --------
>
>> subnet 192.168.0.0 netmask 255.255.255.0 {
>>>    option routers 192.168.0.1;
>>>    option domain-name "onix";
>>>    range 192.168.0.2 192.168.0.10;
>>>    option domain-name-servers 201.10.120.2, 201.10.128.2;
>>>    option broadcast-address 192.168.0.1;
>>>    option ip-forwarding on;
>>> }
>
> You are using IP 192.168.0.1 for 2 purposes:
> a) router
> b) broadcast

That was wrong. I already removed the broadcast entry for interfaces
and dhcp configuration. Same results.

Thanks.
-- 
Vinicius Massuchetto

Re: Can't share ppp internet connection

[Vinicius Massuchetto]

2011/8/21 Pandu Poluan <pandu@poluan.info>:
> (sorry for top posting; Gmail mobile java client sucks)
>
> No, it should be port 68 (got my web access, I can now verify the number).
>
> We want all packets *outgoing* of the box *destined* for port 68 (DHCP
> server's listening port) to bypass NAT.

I ran the command line you showed me for both ports. Got the same results, too.

-- 
Vinicius Massuchetto

Re: Can't share ppp internet connection

[Vinicius Massuchetto]

As I said, this configuration "was working before". The new server I'm
working has the following ethernet card:

13:00.0 Ethernet controller: Atheros Communications AR8152 v2.0 Fast
Ethernet (rev c1)

After testing things again and again experiencing this odd network
behavior, I didn't realize that my kernel version was really old:
2.6.32. This kernel version has a Debian bug [1] that describes
exactly what was happening. All I had to do was upgrade to 3.0.0, that
has a fixed driver for AR8152. Everything works fine now.

I'm really sorry for this inconvenience, as I should have my system
up-to-date before saying "I'm using that distro version".

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610474

Thanks everyone for helping.
-- 
Vinicius Massuchetto