[Scottish] Bare ppp works gnome-ppp doesn't

Gavin McCord scottish at mailman.lug.org.uk
Tue Dec 10 23:17:01 2002 

--=-Dxj7xhmlpM9K9NUvf7D7
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

I've used Slackware's ppp setup for a long time and it works fine for my network. There are two scripts, ppp-go and ppp-off to bring up/down a ppp link. When I connect to the Net, I run an iptables firewall script, fetchmail and maildirsmtp from ip-up. My network consists of a firewall/gateway and two client machines.

I recently tried using gnome-ppp to dial up, run from the gateway PC, but have had mixed results. Although I can get connected using it and all my ip-up scripts still run, I can't access the same range of websites. If I try to access Google, everything's fine. BBC News or CNN don't want to know. However, I can still access those sites from the gateway machine, so I think just the clients are affected. So, maybe my firewall is missing something.

Though I'm confused as to why my non-gnome-ppp setup works fine. I've included here, my gnome-ppp configuration, and extract of my firewall script, with hopefully the relevant stuff and a tcpdump of what happens when I try to connect to an unresponsive site. I'm guessing it's something to do with ICMP traffic and/or MTU/MRU size, but I'm not sure.

See attachment for the firewall script, gnome-ppp config, etc. Any ideas
gratefully appreciated.


--=-Dxj7xhmlpM9K9NUvf7D7
Content-Disposition: attachment; filename=gnomeppp.txt
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; name=gnomeppp.txt; charset=ANSI_X3.4-1968

tcpdump -i ppp0 -l | grep -v ssh
(64.236.24.12 is the remote site, 80.1.1.118 is my ISP assigned IP
 192.168.0.3 is the client machine)
------------------------------------------------------------------

22:51:36.053432 64.236.24.12 > 192.168.0.3: icmp: ip reassembly time exceed=
ed [tos 0xc0]=20
22:51:39.033439 64.236.24.12 > 80.1.1.118: icmp: ip reassembly time exceede=
d [tos 0xc0]=20
22:51:39.043426 64.236.24.12.http > 80.1.1.118.32771: F 2242852752:22428527=
52(0) ack 2214421282 win 5840
22:51:42.013411 64.236.24.12.http > 80.1.1.118.32771: F 0:0(0) ack 1 win 58=
40
...
...
22:52:24.558725 80.1.1.118.32772 > 64.236.24.12.http: S 2303892855:2
 win 5840 <mss 1460,sackOK,timestamp 130895 0,nop,wscale 0>
22:52:24.813426 64.236.24.12.http > 80.1.1.118.32772: S 2313633545:2
 ack 2303892856 win 5840 <mss 1460>
22:52:24.814204 80.1.1.118.32772 > 64.236.24.12.http: . ack 1 win 58
22:52:24.815231 80.1.1.118.32772 > 64.236.24.12.http: . 1:253(252) a
0 (frag 6825:272@0+)
22:52:24.815351 80.1.1.118 > 64.236.24.12: (frag 6825:260@272)
22:52:24.815636 80.1.1.118.32772 > 64.236.24.12.http: P 513:527(14)=20
40
22:52:25.163422 64.236.24.12.http > 80.1.1.118.32772: . ack 1 win 58
22:52:27.808954 80.1.1.118.32772 > 64.236.24.12.http: . 1:253(252) a
0 (frag 6827:272@0+)
22:52:27.809153 80.1.1.118 > 64.236.24.12: (frag 6827:260@272)


gnome-ppp configuration
-----------------------
ISP - virgin
Modem device - ttyS1
Connection speed - 115200
Modem init - AT&FM0W2
Authentication - CHAP
Local IP address, Netmask, Remote IP - dynamic
DNS Server - 192.168.0.1
Search domain - koby.freeuk.com (my internal domain)
Script - left blank
Add Default Route - yes
Lock Dialout Device - yes
MTU - 296
MRU -296
Run Program After Connect/Disconnect - blank
------------------------


rc.firewall - run once link is up

---------------------------------

IPADDR=3D (local address of ppp0 interface, assigned by ISP)
LOCALNET=3D"192.168.0.0/24"
INTERNAL_INTERFACE=3D"eth0"
EXTERNAL_INTERFACE=3D"ppp0"


# Enable rp_filter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
   for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo "1" > $i;
   done
fi

# Ignore any broadcast icmp echo requests
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
   echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

# Enable IP forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Unlimited loopback access
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT

# Local network access
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p all -s $LOCALNET \
    -d $LOCAL_IP -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_INTERFACE -p all -s $LOCAL_IP \
    -d $LOCALNET -j ACCEPT

# Outgoing (established)
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -m state \
    --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNAL_INTERFACE -m state \
    --state RELATED,ESTABLISHED -j ACCEPT

# Incoming (established)
# ACCEPT packets which are related to an established connection.
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -m state --state \
    RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -m state --state \
    RELATED,ESTABLISHED -j ACCEPT

# Flush the NAT table
$IPTABLES -F -t nat

# Source NAT -- (SNAT/Masquerading)
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -s $LOCALNET \
    -j MASQUERADE

# ICMP
# Echo Reply (pong) 0
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Destination Unreachable 3
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \
    -j ACCEPT

# Echo Request (ping) 8
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

# LOG all inbound pings
$IPTABLES -A INPUT -p icmp --icmp-type echo-request \
    -m limit --limit 5/minute -j LOG --log-level $LOG_LEVEL \
    --log-prefix "PING:"

# TTL Exceeded (traceroute) 11
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

# Source quench 4
$IPTABLES -A INPUT -p icmp --icmp-type source-quench -j ACCEPT

# Port unreachable 3
$IPTABLES -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT

# Redirect 5
$IPTABLES -A INPUT -p icmp --icmp-type redirect -j ACCEPT

# Parameter problem 12
$IPTABLES -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

# Fragmentation needed 3
$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type fragmentation-needed -j ACCEPT

# DNS
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
    -s $IPADDR --sport 53 \
    -d $ANYWHERE --dport 53 \
    -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
    -s $IPADDR --sport $UNPRIVPORTS \
    -d $ANYWHERE --dport 53 \
    -j ACCEPT

# HTTP
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --sport $UNPRIVPORTS \
    -d $ANYWHERE --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNAL_INTERFACE -p tcp \
    -s $LOCALNET --sport $UNPRIVPORTS \
    -d $ANYWHERE --dport 80 -j ACCEPT
----------------------------------------------------



--=-Dxj7xhmlpM9K9NUvf7D7--