iptables - specifying iface that does not currently exist

Hi,

I've set up a router and firewall with iptables, the external link is a
ppp one using the speedtouch USB modem and the internal is a normal
ethernet card. The ppp link isn't always up, pppd will repeatedly try
until it gets through.

My question is: when the ppp0 iface goes down, what happens to the data
packets being forwarded out from the LAN to the internet? I have
ip_forward and ip_dynaddr both set to 1 and I know it's perfectly legal
to specify with iptables an iface that does not exist. But something
must be done to the packets being continuously sent into tho router
destined into a downed iface... Does the kernel buffer them up until
the link is back up (ip_dynaddr = 1)? wouldn't there be a limit for
this buffering? Should I turn off just the ip_forward and firewall with
the ip-down hook or is this unnecessary?

I need this router to be rock solid, with minimum maintainence as I
won't be able to administer it easily. hopefully someone can help me
out on this detail which I can't find any info on.

Cheers for any help received!

Justin

Justin wrote:
> Hi,
>
> I've set up a router and firewall with iptables, the external link is a
> ppp one using the speedtouch USB modem and the internal is a normal
> ethernet card. The ppp link isn't always up, pppd will repeatedly try
> until it gets through.
>
> My question is: when the ppp0 iface goes down, what happens to the data
> packets being forwarded out from the LAN to the internet?

With your ppp interface down, the packets will normally be rejected with
an ICMP message "Destination Host Unreachable"

I have
> ip_forward and ip_dynaddr both set to 1 and I know it's perfectly legal
> to specify with iptables an iface that does not exist. But something
> must be done to the packets being continuously sent into tho router
> destined into a downed iface... Does the kernel buffer them up until
> the link is back up (ip_dynaddr = 1)? wouldn't there be a limit for
> this buffering? Should I turn off just the ip_forward and firewall with
> the ip-down hook or is this unnecessary?

The kernel rejects packets it can't route; it doesn't buffer them up.
Your ppp/ip-down script should restore your system to how it was before
it ran the ppp/ip-up script. That way, your routing table will stay
right and subsequent ip-up's won't make repetitious additions to your
list of filter rules.

Robert

>
> I need this router to be rock solid, with minimum maintainence as I
> won't be able to administer it easily. hopefully someone can help me
> out on this detail which I can't find any info on.
>
> Cheers for any help received!
>
> Justin
>

On Mon, 14 Aug 2006 16:12:36 GMT, Robert Harris <(E-Mail Removed)> wrote:

>
>The kernel rejects packets it can't route; it doesn't buffer them up.
>Your ppp/ip-down script should restore your system to how it was before
>it ran the ppp/ip-up script. That way, your routing table will stay
>right and subsequent ip-up's won't make repetitious additions to your
>list of filter rules.

Yes, I do something like this. Startup puts firewall into localnet mode,
ip-up switches iptables to 'world' mode, and ip-down knocks it back to
localnet mode, ~2 years on ADSL with modem in bridge mode, no problems.

Grant.
--
http://bugsplatter.mine.nu/

Thanks guys! That's cleared up the puzzle for me

many thanks

Justin