Strange behaviour in iptables

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Thu Jan 15 00:58:11 UTC 2004 

Am Mi, den 14.01.2004 schrieb Alexandre Strube um 21:49:
> Em Qua, 2004-01-14 às 15:47, Alexander Dalloz escreveu:
> 
> > > I have a fedora machine acting as NAT router between a small network and
> > > a adsl connection. Iptables is managing this. This is working for some
> > > time (redhat 8 -> redhat 9 -> fc1) I cannot even remember WHERE in init
> > > scripts this is configured.
> > > 
> > > The booting sequence is:
> > > 
> > > raises eth0
> > > raises ppp0 (it auto-connects, get ip, and so on)
> > > web connection (my isp requires we access a web page for authentication
> > > - I have a small script that automates this)
> > > Dynamic ip.
> > > For some days now (I don't know what was the exact update, as I don't
> > > rebbot very often - this machine keeps up for weeks), but now, when I
> > > reboot, iptables doesn't do NAT anymore. The only way to get it working
> > > is doing a 'service iptables restart' and everything works again, which
> > > make me sure that iptables' nat config is ok.
> > > 
> > > Can someone help me with this? This is preety annoying on these times of
> > > 2.4 -> 2.6 transition (when I reboot quite often)
> > > By the way, this behaviour is with 2.4.22.2140.
> > For such things a look into the syslog file /var/log/messages is a good
> > start.
> 
> Here is what /var/log/messages say during boot:
> Jan 14 08:47:31 casa kernel: eth0: RealTek RTL8139 Fast Ethernet at
> 0xd8428000, 00:40:ca:99:f1:fe, IRQ 10
> Jan 14 08:47:31 casa kernel: eth0: link up, 10Mbps, half-duplex, lpa
> 0x0000
> Jan 14 08:47:31 casa kernel: ip_tables: (C) 2000-2002 Netfilter core
> team
> Jan 14 08:47:31 casa kernel: CSLIP: code copyright 1989 Regents of the
> University of California
> Jan 14 08:47:31 casa kernel: PPP generic driver version 2.4.2
> (...)
> Jan 14 08:47:48 casa pppoe[3797]: Timeout waiting for PADO packets
> Jan 14 08:47:48 casa pppd[3796]: Exit.
> (...)
> Jan 14 08:47:50 casa pppd[4214]: pppd 2.4.1 started by root, uid 0
> Jan 14 08:47:50 casa pppd[4214]: Using interface ppp0
> Jan 14 08:47:50 casa pppd[4214]: Connect: ppp0 <--> /dev/pts/1
> Jan 14 08:47:50 casa pppoe[4215]: PPP session is 30307
> Jan 14 08:47:50 casa pppd[4214]: local  IP address 200.164.21.238
> Jan 14 08:47:50 casa pppd[4214]: remote IP address 200.217.127.41
> Jan 14 08:47:50 casa pppd[4214]: primary   DNS address 200.149.55.140
> Jan 14 08:47:50 casa pppd[4214]: secondary DNS address 200.165.132.147

Can you check which iptables modules are loaded at that state? I suspect
iptable_nat.o is not one of them. What does an "iptables -L -n -v" and
"iptables -t nat -L -n -v" report?

> Until then, no nat. (it was connected anyway)
> Then, iptables restart and
> Jan 14 09:10:24 casa iptables:  succeeded
> Jan 14 09:10:24 casa last message repeated 2 times
> Jan 14 09:10:24 casa kernel: ip_tables: (C) 2000-2002 Netfilter core
> team
> Jan 14 09:10:24 casa kernel: ip_conntrack version 2.1 (3008 buckets,
> 24064 max) - 292 bytes per conntrack

Ok, now it loads ip_conntrack.o. Where did you configure connection
tracking? What does "iptables -L -n v" and "iptables -t nat -L -n -v"
report now?

> > You should first find out where exactly your NAT is set up. I guess it
> > is configured in /etc/sysconfig/iptables as a service restart of
> > iptables is successful.
> 
> Yes, it is.
> 
> The relevant part of it is:
> 
> *filter
> (close everything, opens what I want, etc)
> COMMIT
> # Completed on Sat Jun 28 18:25:27 2003
> # Generated by iptables-save v1.2.7a on Sat Jun 28 18:25:27 2003
> *nat
> :PREROUTING ACCEPT [2305:120747]
> :POSTROUTING ACCEPT [172:10464]
> :OUTPUT ACCEPT [180:10962]
> -A PREROUTING -d 192.168.0.1 -j DNAT --to-destination 200.223.0.83
> -A PREROUTING -d 192.168.0.1 -j DNAT --to-destination 200.223.0.83
> -A POSTROUTING -o ppp0 -j MASQUERADE
> -A POSTROUTING -o ppp0 -j MASQUERADE
> COMMIT
> # Completed on Sat Jun 28 18:25:27 2003

Why these double lines with same content?

> This first commit may be the culprit. But this does not explain why it
> worked until now, and why it works after restarted and does not before.

A COMMIT for each table, the first one is for filter table, the second
one for nat table. So far ok.

> > Do you see iptables service start failing on bootup? You need to boot
> > with details at least or better without rhgb.
> 
> Yes, it loads ok.
> 
> > Maybe the needed iptables kernel modules are not loaded ok at boot time.
> > All just guesses as there is no self investigation information in your
> > mail.
> 
> The weird is, no changes were made on this - as you can see, since june
> 28 2003... I'm still confused.

So far no real explaination. But we will find it...

Alexander


-- 
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416  14CD E197 6E88 ED69 5653

More information about the fedora-list mailing list