dialup solution (as seconary connection / iptables )

Greetings,

Let me first ask in short the most pressing IPTABLES question.

1. Where and how do I alter the source IP to my ppp0 internet IP.
Given I already have:

route add my.news.ip.num my.isp.gateway

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j DNAT
--to-destination 64.news.ip.num

?? t -nat -A POSTROUTING &&&& -j SNAT --from-source my.1.2.ip


2. Will this complicated translation be automaticaly reversed for
returning packets or do I need 2 more rules.



The whole problem.

I have been keeping(/paying) my dialup connection for over a year
but didn't get much use out of it since I have to stop all else,
disable nic and dial out to download news.
I have stumbled across IPTABLES in the spring but had no time
for it till now. Thanks to my latest handme-down with working
ISA modem(with slack 12.1 out of the box), I am ready to try again.

I would like to use it to get to my dialup ISP for (at the very least )
news and perhaps it's SMTP and POP3.

Currently I have default route to router and out to DSL internet.
When I dial out I have a HOST route to the ISP, so I guess I have to
manualy add route to one of the 2 news servers, or both.
Is there a good / easy way to monitor ppp0 and add those entries when
it is up?

It is possible I don't have to touch it (routes) when it goes down, but
I think I still need "controler" script to wait for external IP of
the ppp0 and then enter iptables rules and then reemove them.

After rereading http://www.iptables-tutorials.frozen...tutorials.html

I started with this, first 2 just out of curiosity, but the log does not
seam to match the number of packets sent.

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j LOG
--log-level debug
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j LOG
--log-tcp-sequence

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j DNAT
--to-destination 64.news.ip.num

I quickly realized by watching ppp0 with tcpdump that the return address
is my local address of the originating machine ( 192.168.0.5 ).
This made me search for more examples to see wheather or not I could
just append --from-source 192.168.0.5/24 ( or even /28) to that rule
but... no luck.


Also stumbled again on the MASQUERADE target section , but that would
not translate the destination .
Am I supposet to DNAT then masquarade? Where would I insert the rule
that jumps to MASQUERADE

Thank you for any pointers on this.

sammy wrote:

> Greetings,
>
> Let me first ask in short the most pressing IPTABLES question.
>
> 1. Where and how do I alter the source IP to my ppp0 internet IP.
> Given I already have:

Have a look at /etc/ppp/ip-up.d and /etc/ppp/ip-down.d - you can put scripts
there which are executed on dialing a connection and on hang up. You'd need
to figure out if the correct connection has been dialed or hanged up and
execute all you want. Have a look at
# iptables -R
it allows you to specify the number (counting from 1 as the top-most rule of
the specified chain) of the rule you want to replace. Change it when you
dialed in and change it back when you hanged up.

>
> route add my.news.ip.num my.isp.gateway
>
> iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j DNAT
> --to-destination 64.news.ip.num

This one should be set up in your iptables init script, so it is already
there when you dial in to your ISP.

>
> ?? t -nat -A POSTROUTING &&&& -j SNAT --from-source my.1.2.ip

You don't need it.

>
>
> 2. Will this complicated translation be automaticaly reversed for
> returning packets or do I need 2 more rules.

Yes. See above.

>
>
>
> The whole problem.
>
> I have been keeping(/paying) my dialup connection for over a year
> but didn't get much use out of it since I have to stop all else,
> disable nic and dial out to download news.
> I have stumbled across IPTABLES in the spring but had no time
> for it till now. Thanks to my latest handme-down with working
> ISA modem(with slack 12.1 out of the box), I am ready to try again.
>
> I would like to use it to get to my dialup ISP for (at the very least )
> news and perhaps it's SMTP and POP3.
>
> Currently I have default route to router and out to DSL internet.
> When I dial out I have a HOST route to the ISP, so I guess I have to
> manualy add route to one of the 2 news servers, or both.
> Is there a good / easy way to monitor ppp0 and add those entries when
> it is up?

See /etc/ppp/ip-up.d and /etc/ppp/ip-down.d

>
> It is possible I don't have to touch it (routes) when it goes down, but
> I think I still need "controler" script to wait for external IP of
> the ppp0 and then enter iptables rules and then reemove them.
>
> After rereading
> http://www.iptables-tutorials.frozen...tutorials.html
[snip]
> iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j DNAT
> --to-destination 64.news.ip.num

You should rather set up your news-reader to use 64.news.ip.num as news
source, masquerading your connection after dialup (see below) would do the
rest then.

>
> I quickly realized by watching ppp0 with tcpdump that the return address
> is my local address of the originating machine ( 192.168.0.5 ).
> This made me search for more examples to see wheather or not I could
> just append --from-source 192.168.0.5/24 ( or even /28) to that rule
> but... no luck.
>
>
> Also stumbled again on the MASQUERADE target section , but that would
> not translate the destination .
> Am I supposet to DNAT then masquarade? Where would I insert the rule
> that jumps to MASQUERADE

You should masquerade your outgoing connections like this:
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
which you can do as well from ppp's ip-up scripts.

HTH,
Felix

Felix Tiede wrote:

> sammy wrote:
>
>
>>Greetings,
>>
>>Let me first ask in short the most pressing IPTABLES question.
>>
>>1. Where and how do I alter the source IP to my ppp0 internet IP.
>>Given I already have:
>
>
> Have a look at /etc/ppp/ip-up.d and /etc/ppp/ip-down.d - you can put scripts
> there which are executed on dialing a connection and on hang up. You'd need
> to figure out if the correct connection has been dialed or hanged up and
I suppose that could work if I keep checking IFCONFIG until ppp0 appears.
WOW you are right there is ip-up and ip-down mostly commented out,
and ip-up is around (still running) when network is established. I
thought the ip messages are from pppd as stderr.
...... TOTALLY forgot their existence.
I guess my problem with dropped connection is solved, at first thought
ip-up was fedora equivalent to /usr/sbin/ppp-go ( and stop) and that you
forgot about it going down on it's own.

> execute all you want. Have a look at
> # iptables -R
> it allows you to specify the number (counting from 1 as the top-most rule of
> the specified chain) of the rule you want to replace. Change it when you
> dialed in and change it back when you hanged up.
>
iptables -R
Unknown argument in iptables 1.3.8

DID you mean -I 1 ( or is it 0 )

>
>>route add my.news.ip.num my.isp.gateway
>>
>>iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j DNAT
>>--to-destination 64.news.ip.num
>
>
> This one should be set up in your iptables init script, so it is already
> there when you dial in to your ISP.
>
I do have firewall-masq and firewall-standalone but assuming this is for
single interface (ppp) I haven't given it much consideration.

>>Currently I have default route to router and out to DSL internet.
>>When I dial out I have a HOST route to the ISP, so I guess I have to
>>manualy add << SNIP >>

<< SNIP >>
>
> You should rather set up your news-reader to use 64.news.ip.num as news
> source, masquerading your connection after dialup (see below) would do the
> rest then.
>
>
Oh right (static routes), I can enter redirection for those 3 or 4
addresses based on just ip ( since they don't serve anything else ) into
the router. Only problem is it doesn't let me enter single ip mask,
lucky for me news are 247 and 250 so 255.255.255.240 it is.

<<snip>>
> You should masquerade your outgoing connections like this:
> # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> which you can do as well from ppp's ip-up scripts.
>
Well now that may work.

OOOPs the router is not sending the trafic to the modem server.
looks like I am stuck with 192.168.0.6:119 as the news server address.
Unless the conflict is with the fact that the router (netgear WGR614v3 )
has DHCP on (11- ), but I an using all static addresses below that hmmm.
no it shouldn't, that would be a serious bug.

So back to
iptables -t nat -A PREROUTING -j snat --from-source $4 ( $4 in ip-up )
and
-j masquerade


Thanks

sammy wrote:

> Felix Tiede wrote:
>
>> sammy wrote:
>>
>>
>>>Greetings,
>>>
>>>Let me first ask in short the most pressing IPTABLES question.
>>>
>>>1. Where and how do I alter the source IP to my ppp0 internet IP.
>>>Given I already have:
>>
>>
>> Have a look at /etc/ppp/ip-up.d and /etc/ppp/ip-down.d - you can put
>> scripts there which are executed on dialing a connection and on hang up.
>> You'd need to figure out if the correct connection has been dialed or
>> hanged up and
> I suppose that could work if I keep checking IFCONFIG until ppp0 appears.
> WOW you are right there is ip-up and ip-down mostly commented out,
> and ip-up is around (still running) when network is established. I
> thought the ip messages are from pppd as stderr.
> ..... TOTALLY forgot their existence.
> I guess my problem with dropped connection is solved, at first thought
> ip-up was fedora equivalent to /usr/sbin/ppp-go ( and stop) and that you
> forgot about it going down on it's own.
>
>> execute all you want. Have a look at
>> # iptables -R
>> it allows you to specify the number (counting from 1 as the top-most rule
>> of the specified chain) of the rule you want to replace. Change it when
>> you dialed in and change it back when you hanged up.
>>
> iptables -R
> Unknown argument in iptables 1.3.8
>
> DID you mean -I 1 ( or is it 0 )

No, I meant -R - it is available, check iptables' man-page, you can not use
it without anything to do.
# iptables -R
fails at my boxes too, but it works very well if used as pointed out by
man-page.

>
>>
>>>route add my.news.ip.num my.isp.gateway
>>>
>>>iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j DNAT
>>>--to-destination 64.news.ip.num
>>
>>
>> This one should be set up in your iptables init script, so it is already
>> there when you dial in to your ISP.
>>
> I do have firewall-masq and firewall-standalone but assuming this is for
> single interface (ppp) I haven't given it much consideration.

Well, I configure my iptables without assistance of any tools and IMHO such
tools are not helpful when it comes to out-of-the-ordinary setups as yours.

>
>>>Currently I have default route to router and out to DSL internet.
>>>When I dial out I have a HOST route to the ISP, so I guess I have to
>>>manualy add << SNIP >>
>
> << SNIP >>
>>
>> You should rather set up your news-reader to use 64.news.ip.num as news
>> source, masquerading your connection after dialup (see below) would do
>> the rest then.
>>
>>
> Oh right (static routes), I can enter redirection for those 3 or 4
> addresses based on just ip ( since they don't serve anything else ) into
> the router. Only problem is it doesn't let me enter single ip mask,
> lucky for me news are 247 and 250 so 255.255.255.240 it is.

If you want to add a single host to the system's routing table, just add the
ip address, prefixed by -host if you want to. You don't need to specify a
netmask then.

>
> <<snip>>
>> You should masquerade your outgoing connections like this:
>> # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>> which you can do as well from ppp's ip-up scripts.
>>
> Well now that may work.
>
> OOOPs the router is not sending the trafic to the modem server.
> looks like I am stuck with 192.168.0.6:119 as the news server address.
> Unless the conflict is with the fact that the router (netgear WGR614v3 )
> has DHCP on (11- ), but I an using all static addresses below that hmmm.
> no it shouldn't, that would be a serious bug.

You need to tell your workstations to route traffic to the news server via
modem server. Your DSL router has no business in this. And it will never
do "the right thing" unless you run it with openwrt or something and modify
its routing table manually.

>
> So back to
> iptables -t nat -A PREROUTING -j snat --from-source $4 ( $4 in ip-up )
> and
> -j masquerade

I've fiddled with SNAT once but it didn't help much, most failed because
internet providers don't like packets with obviously modified source ip
addresses.

Greetz,
Felix

Felix Tiede wrote:
> sammy wrote:
>
>
>>Felix Tiede wrote:
>>
>>
>>>sammy wrote:

>>>execute all you want. Have a look at
>>># iptables -R
>>>it allows you to specify the number (counting from 1 as the top-most rule
>>>of the specified chain) of the rule you want to replace. Change it when
>>>you dialed in and change it back when you hanged up.
>>>
>>
>>iptables -R
>>Unknown argument in iptables 1.3.8
>>
>>DID you mean -I 1 ( or is it 0 )
>
>
> No, I meant -R - it is available, check iptables' man-page, you can not use
> it without anything to do.
> # iptables -R
> fails at my boxes too, but it works very well if used as pointed out by
> man-page.
>
>

Oh , sorry , acctualy there are no rules on that machine right now ,
just default ACCEPT policy.

>>Oh right (static routes), I can enter redirection for those 3 or 4
>>addresses based on just ip ( since they don't serve anything else ) into
>>the router. Only problem is it doesn't let me enter single ip mask,
>>lucky for me news are 247 and 250 so 255.255.255.240 it is.
>
>
> If you want to add a single host to the system's routing table, just add the
> ip address, prefixed by -host if you want to. You don't need to specify a
> netmask then.

The above was refering to the netgear router and it's web interface.
I hoped that it could redirect trafic localy, but I guess no luck.

>
>
>><<snip>>
>>
>>>You should masquerade your outgoing connections like this:
>>># iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>>>which you can do as well from ppp's ip-up scripts.
>>>
>>
>>Well now that may work.
>>
>>OOOPs the router is not sending the trafic to the modem server.
>>looks like I am stuck with 192.168.0.6:119 as the news server address.
>>Unless the conflict is with the fact that the router (netgear WGR614v3 )
>>has DHCP on (11- ), but I an using all static addresses below that hmmm.
>>no it shouldn't, that would be a serious bug.
>
>
> You need to tell your workstations to route traffic to the news server via
> modem server. Your DSL router has no business in this. And it will never
> do "the right thing" unless you run it with openwrt or something and modify
> its routing table manually.
>
>

Not sure what you mean , earlier you sugested to use the real address
in the news reader, are you saying I should use IPTABLEs on stations to
DNAT to the server and there DNAT to the real address?

or acctualy
route add 64.news.server.ip 192.168.0.6
wouldn't using the local address out right be the same.


>>So back to
>>iptables -t nat -A PREROUTING -j snat --from-source $4 ( $4 in ip-up )
>>and
>>-j masquerade
>
>
> I've fiddled with SNAT once but it didn't help much, most failed because
> internet providers don't like packets with obviously modified source ip
> addresses.
>
> Greetz,
> Felix

heh I'll try to keep it a secret, how obwious can it be?

sammy wrote:

> Felix Tiede wrote:
>> sammy wrote:
[snip]
>>>Oh right (static routes), I can enter redirection for those 3 or 4
>>>addresses based on just ip ( since they don't serve anything else ) into
>>>the router. Only problem is it doesn't let me enter single ip mask,
>>>lucky for me news are 247 and 250 so 255.255.255.240 it is.
>>
>>
>> If you want to add a single host to the system's routing table, just add
>> the ip address, prefixed by -host if you want to. You don't need to
>> specify a netmask then.
>
> The above was refering to the netgear router and it's web interface.
> I hoped that it could redirect trafic localy, but I guess no luck.

I'd be surprised if there were any luck in this. Those routers are not very
configurable.

>
>>
>>
>>><<snip>>
>>>
>>>>You should masquerade your outgoing connections like this:
>>>># iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>>>>which you can do as well from ppp's ip-up scripts.
>>>>
>>>
>>>Well now that may work.
>>>
>>>OOOPs the router is not sending the trafic to the modem server.
>>>looks like I am stuck with 192.168.0.6:119 as the news server address.
>>>Unless the conflict is with the fact that the router (netgear WGR614v3 )
>>>has DHCP on (11- ), but I an using all static addresses below that hmmm.
>>>no it shouldn't, that would be a serious bug.
>>
>>
>> You need to tell your workstations to route traffic to the news server
>> via modem server. Your DSL router has no business in this. And it will
>> never do "the right thing" unless you run it with openwrt or something
>> and modify its routing table manually.
>>
>>
>
> Not sure what you mean , earlier you sugested to use the real address
> in the news reader, are you saying I should use IPTABLEs on stations to
> DNAT to the server and there DNAT to the real address?

Not knowing your network's topology I thought it was your "modem server"
which is where your newsreader runs. Now that I know better, I'd rather
suggest you'd specify your modem server as gateway to the newsservers.

>
> or acctualy
> route add 64.news.server.ip 192.168.0.6
> wouldn't using the local address out right be the same.

Depends on the protocol. Honestly I don't know, but if you have only linux
boxes as workstations you should be able add these routes to their network
configurations.

>
>
[snip]
> heh I'll try to keep it a secret, how obwious can it be?

>>
>>Not sure what you mean , earlier you sugested to use the real address
>>in the news reader, are you saying I should use IPTABLEs on stations to
>>DNAT to the server and there DNAT to the real address?
>
>
> Not knowing your network's topology I thought it was your "modem server"
> which is where your newsreader runs. Now that I know better, I'd rather
> suggest you'd specify your modem server as gateway to the newsservers.
>
>

I am sorry, I should have said "hardware router" in the third paragraph.
No, nowhere that simple a setup, there would be no reason to fiddle
iptables at all, and probably not even the parts of my question relating
to taking action when ppp goes up and down. One note about ip-up,
ip-down scripts , I don't believe they are being executed in slackware.
My shell script doesn't run nor do I see any change when I change the
IP address messages. I think I may have read that ip-up does not run
when script method is used , but I tried PAP and it aborts before the
modem even tries to dial. Does PAP require me to make the connection
first with MINICOM or is PAP and script not mutualy exclusive?

I gave up on having machines in a string ( or actually linux router)
when I got DSL a year ago,
so I have 3 or 4 machines connected to the hardware netgear router
and DSL modem, one of them w2K (what I really use as the serious
workstation). The other linux box (PIII 800 192...5) is my workstaion
with KDE and terminal to 192...6, where I do testing from.

Since the DSL provider doesn't have news , I kept the
dialup account. Both the windows and linux box have a modem, so up to
this point I have used the w2k to access the the dialup by disabling the
nic and dialing out , letting windows handle all the re-routing
information ( it's own default gateway, this only works seamlessly
after some updates are downloaded when you installed windows connected
to the router and internet.)

So I am trying to use the linux box as access point to NNTP at least
untill I come across some software with good documentation that
can duplicate the ISPs NEWS functions. That way I wont have to
redownload some large newsgroups such as sci.electronics.design
over the 44Kbs modem connection when netscape hangs or another cause
forces me to shutoff while NEWS reader is open. %^%$# netscape doesn't
flush after it's done downloading each group only when you close the
app, but it does store in text format and does not rewrite the files,
rather appends.
OPPS TOO MUCH OFF TOPIC


So as I mentioned , I tried to enter route to the ISP news server
through my linux box ( with modem ) under static routes section of
the netgear router setup, but it does not seam to work, therefore I am
stuck with using the boxes (local ) IP as the news server.

Clifford Kite wrote:
> sammy <(E-Mail Removed)> wrote:
>
> <...>
>
>>to taking action when ppp goes up and down. One note about ip-up,


> To try and find out what is wrong the dialout program or script should
> be set for verbose logging, for chat that would be -vs. Then you can add
>
> daemon.*;local2.* /var/log/ppp.log
>

It works when pppd is setup for script but doesn't run ip-up/down.

> If you use the Linux box and route the news IP address to it on each
> of the other LAN boxes then you shouldn't need to disable the NIC.
> DSL and dialup PPP can both be available at the same time.
>
> On the dialup host you would need IP forwarding enabled and
>
> route add news.ip.num gw $5 $1
> iptables -t nat -A POSTROUTING -o $1 -j SNAT --to-source $4
>
> in up-up, with no default route for the PPP interface if you want to
> also be able to access the Internet with other types of connections
> from the dialup via DSL routing.
>
> On the other LAN hosts you should only need
>
> route add news.ip.num gw 192.168.0.6 ethx
>
> where 192.168.0.6 (or whatever) is the LAN IP address of the dialup and
> ethx is the host's Ethernet interface. Of course news.ip.num is the IP
> address of the external news server.
>
>
As far as I know you can only route through machine directly connected
and in my case directly connected to all machines is the netgear
concentrator (since it's routing capability is questionable )

When I make ppp connection one of the messages is:
"not changing default route" (through the router)
I guess that's something to reconsider since I am not expectiong
to work from that machine but may wish to share drive space.

This is more or less what I would like to run from ip-up when I get it
going.

news.sh $4 $5

#!/bin/sh
echo "adding " $1 >/dev/tty0
route add news.serv1 $2
route add news.serv2 $2

iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j LOG
--log-tcp-sequence
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.6 --dport 119 -j DNAT
--to-destination news.serv2

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


should second rule (DNAT) be in INPUT chain?
This gets packets back to the modem server but I am not
sure how to procceed from here since there are 2 possible clients,
(...5 and ...9 ) short of hardcoding it for one of them with

iptables -t NAT -A INPUT -s news.serv1 -j DNAT --to-destination
192.168.0.9

or ...5

Do I need to mark the connection or ..?



> A lightweight choice for a Linux local news host would be leafnode with
> it's companion fetchnews.
>
>
Great thanks , I'll look into it, but I am put off a bit by the fact it
is 2 separate parts instead of single daemon and single config file.

Cheers, Sam