Am Mi, den 14.01.2004 schrieb Alexandre Strube um 21:49: > Em Qua, 2004-01-14 às 15:47, Alexander Dalloz escreveu: > > > > I have a fedora machine acting as NAT router between a small network and > > > a adsl connection. Iptables is managing this. This is working for some > > > time (redhat 8 -> redhat 9 -> fc1) I cannot even remember WHERE in init > > > scripts this is configured. > > > > > > The booting sequence is: > > > > > > raises eth0 > > > raises ppp0 (it auto-connects, get ip, and so on) > > > web connection (my isp requires we access a web page for authentication > > > - I have a small script that automates this) > > > Dynamic ip. > > > For some days now (I don't know what was the exact update, as I don't > > > rebbot very often - this machine keeps up for weeks), but now, when I > > > reboot, iptables doesn't do NAT anymore. The only way to get it working > > > is doing a 'service iptables restart' and everything works again, which > > > make me sure that iptables' nat config is ok. > > > > > > Can someone help me with this? This is preety annoying on these times of > > > 2.4 -> 2.6 transition (when I reboot quite often) > > > By the way, this behaviour is with 2.4.22.2140. > > For such things a look into the syslog file /var/log/messages is a good > > start. > > Here is what /var/log/messages say during boot: > Jan 14 08:47:31 casa kernel: eth0: RealTek RTL8139 Fast Ethernet at > 0xd8428000, 00:40:ca:99:f1:fe, IRQ 10 > Jan 14 08:47:31 casa kernel: eth0: link up, 10Mbps, half-duplex, lpa > 0x0000 > Jan 14 08:47:31 casa kernel: ip_tables: (C) 2000-2002 Netfilter core > team > Jan 14 08:47:31 casa kernel: CSLIP: code copyright 1989 Regents of the > University of California > Jan 14 08:47:31 casa kernel: PPP generic driver version 2.4.2 > (...) > Jan 14 08:47:48 casa pppoe[3797]: Timeout waiting for PADO packets > Jan 14 08:47:48 casa pppd[3796]: Exit. > (...) > Jan 14 08:47:50 casa pppd[4214]: pppd 2.4.1 started by root, uid 0 > Jan 14 08:47:50 casa pppd[4214]: Using interface ppp0 > Jan 14 08:47:50 casa pppd[4214]: Connect: ppp0 <--> /dev/pts/1 > Jan 14 08:47:50 casa pppoe[4215]: PPP session is 30307 > Jan 14 08:47:50 casa pppd[4214]: local IP address 200.164.21.238 > Jan 14 08:47:50 casa pppd[4214]: remote IP address 200.217.127.41 > Jan 14 08:47:50 casa pppd[4214]: primary DNS address 200.149.55.140 > Jan 14 08:47:50 casa pppd[4214]: secondary DNS address 200.165.132.147 Can you check which iptables modules are loaded at that state? I suspect iptable_nat.o is not one of them. What does an "iptables -L -n -v" and "iptables -t nat -L -n -v" report? > Until then, no nat. (it was connected anyway) > Then, iptables restart and > Jan 14 09:10:24 casa iptables: succeeded > Jan 14 09:10:24 casa last message repeated 2 times > Jan 14 09:10:24 casa kernel: ip_tables: (C) 2000-2002 Netfilter core > team > Jan 14 09:10:24 casa kernel: ip_conntrack version 2.1 (3008 buckets, > 24064 max) - 292 bytes per conntrack Ok, now it loads ip_conntrack.o. Where did you configure connection tracking? What does "iptables -L -n v" and "iptables -t nat -L -n -v" report now? > > You should first find out where exactly your NAT is set up. I guess it > > is configured in /etc/sysconfig/iptables as a service restart of > > iptables is successful. > > Yes, it is. > > The relevant part of it is: > > *filter > (close everything, opens what I want, etc) > COMMIT > # Completed on Sat Jun 28 18:25:27 2003 > # Generated by iptables-save v1.2.7a on Sat Jun 28 18:25:27 2003 > *nat > :PREROUTING ACCEPT [2305:120747] > :POSTROUTING ACCEPT [172:10464] > :OUTPUT ACCEPT [180:10962] > -A PREROUTING -d 192.168.0.1 -j DNAT --to-destination 200.223.0.83 > -A PREROUTING -d 192.168.0.1 -j DNAT --to-destination 200.223.0.83 > -A POSTROUTING -o ppp0 -j MASQUERADE > -A POSTROUTING -o ppp0 -j MASQUERADE > COMMIT > # Completed on Sat Jun 28 18:25:27 2003 Why these double lines with same content? > This first commit may be the culprit. But this does not explain why it > worked until now, and why it works after restarted and does not before. A COMMIT for each table, the first one is for filter table, the second one for nat table. So far ok. > > Do you see iptables service start failing on bootup? You need to boot > > with details at least or better without rhgb. > > Yes, it loads ok. > > > Maybe the needed iptables kernel modules are not loaded ok at boot time. > > All just guesses as there is no self investigation information in your > > mail. > > The weird is, no changes were made on this - as you can see, since june > 28 2003... I'm still confused. So far no real explaination. But we will find it... Alexander -- Alexander Dalloz | Enger, Germany PGP key valid: made 13.07.1999 PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653
