icmp echo packets not masqueraded properly.

icmp echo packets not masqueraded properly.

[Jihoon Chung]

I have two lines goint out to internet from the firewall machine.
One is adsl (say, ppp0) and the other is cable modem (eth1).
My notebook is connected to eth2 and is running Windows 2000.

I use ppp0 as primary line and cable modem as backup.
So when ppp0 is connected , 'ip route show | tail -1' shows the following,

default via 1.1.1.1 dev ppp0

and when ppp0 goes down, 'ip route show | tail -1' show the following.

default via 2.2.2.2 dev eth1

(I've written a small daemon which detects status of ppp0 and changes to
 default route accordingly, and this calls 'ip route flush cache'
 everytime it changeds routes)

And the Masquerading rule is:
`iptables -t filter -A FORWARD -j MASQUERADE`;

The problem occurs when I'm pinging from the notebook (host inside the
firewall) to any host outside the firewall. 

When ppp0 dies and the default-route gets changed to eth1 while pinging
from the notebook,  the ping session is still masqueraded to ppp0's ip
address !! ,  even though the packets are routed through eth1.
(I found this by tcpdumping on eth1)

If I stop the ping on the notebook and wait 30 seconds and ping again, 
it behaves fine.

Is there anyway I can make it behave without "stop-wait30sec" ?

(by the way , I searched in /proc and tried turning on
 /proc/sys/net/ipv4/ip_dynaddr , but nothing changed.)

Re: icmp echo packets not masqueraded properly.

[Joel Newkirk]

No answers, just questions and thoughts...

On Tuesday 18 March 2003 02:32 am, Jihoon Chung wrote:

> (I've written a small daemon which detects status of ppp0 and changes
> to default route accordingly, and this calls 'ip route flush cache'
> everytime it changeds routes)
>
> And the Masquerading rule is:
> `iptables -t filter -A FORWARD -j MASQUERADE`;

I hope this is a mistype, and you're actually doing this in -t nat -A 
POSTROUTING?  The MASQUERADE target is only valid in that chain.

> The problem occurs when I'm pinging from the notebook (host inside the
> firewall) to any host outside the firewall.
>
> When ppp0 dies and the default-route gets changed to eth1 while
> pinging from the notebook,  the ping session is still masqueraded to
> ppp0's ip address !! ,  even though the packets are routed through
> eth1. (I found this by tcpdumping on eth1)
>
> If I stop the ping on the notebook and wait 30 seconds and ping again,
> it behaves fine.

Is this ALL traffic, or just ICMP? Only if the pinging was already taking 
place as the route was changed?

There's a 30-second timeout, IIRC, on ICMP in conntrack.  When MASQUERADE 
detects that a device is no longer available it is supposed to dump all 
conntrack entries associated with that device.  It appears that it is 
not doing so, and the entries are simply expiring after timeout.  Is 
device ppp0 still in the system, just not valid and not routed through?  
If so, you might try taking it down from your route-changing daemon.

> Is there anyway I can make it behave without "stop-wait30sec" ?
>
> (by the way , I searched in /proc and tried turning on
>  /proc/sys/net/ipv4/ip_dynaddr , but nothing changed.)

That has to be enabled for the MASQUERADE target to work properly anyway.

j

Re: icmp echo packets not masqueraded properly.

[Jihoon Chung]

Thanks for the reply..

On Tue, Mar 18, 2003 at 10:22:44PM -0500, Joel Newkirk wrote:
> >
> > And the Masquerading rule is:
> > `iptables -t filter -A FORWARD -j MASQUERADE`;
> 
> I hope this is a mistype, and you're actually doing this in -t nat -A 
> POSTROUTING?  The MASQUERADE target is only valid in that chain.

Oops. Yes, it is a mistype. I meant -t nat.

> 
> > The problem occurs when I'm pinging from the notebook (host inside the
> > firewall) to any host outside the firewall.
> >
> > When ppp0 dies and the default-route gets changed to eth1 while
> > pinging from the notebook,  the ping session is still masqueraded to
> > ppp0's ip address !! ,  even though the packets are routed through
> > eth1. (I found this by tcpdumping on eth1)
> >
> > If I stop the ping on the notebook and wait 30 seconds and ping again,
> > it behaves fine.
> 
> Is this ALL traffic, or just ICMP? Only if the pinging was already taking 
> place as the route was changed?

Yes, just ICMP and only when the pinging was already taking place.

> 
> There's a 30-second timeout, IIRC, on ICMP in conntrack.  When MASQUERADE 
> detects that a device is no longer available it is supposed to dump all 
> conntrack entries associated with that device.  It appears that it is 
> not doing so, and the entries are simply expiring after timeout.  Is 
> device ppp0 still in the system, just not valid and not routed through?  
> If so, you might try taking it down from your route-changing daemon.

Well, 'ip addr list' shows ppp0 but with no ip address.
I tried taking it down completely (doesn't show in 'ip add list', no
pppd running.), but stil the problem exists.

> > Is there anyway I can make it behave without "stop-wait30sec" ?
> >
> > (by the way , I searched in /proc and tried turning on
> >  /proc/sys/net/ipv4/ip_dynaddr , but nothing changed.)
> 
> That has to be enabled for the MASQUERADE target to work properly anyway.
> 
> j
>