------------------
My configuration :
------------------
2 PC with Windows NT and Netscape Communicator (192.168.1.10 and
192.168.1.20)
1 (local, non official) DNS server with Linux at 192.168.1.1 (it's also
a samba server, an intranet server, ...)
1 gateway for ISDN dialup access at 192.168.1.2. I establish a
connection with my provider with dynamic IP adresses.
-------------
My problems :
-------------
First one :
Sometimes I cannot access the provider at the first demand.
The rate is : 1 success for 2 trials if the first packet is a POP
connection
8 success for 10 trial if the first packet is an HTTP connection.
Diald connects to the provider but after few seconds, Netscape, on the
NT PC, pops up a message box with an error "Cannot connect to host". If
I make a new trial, I success because the connection is open !
I see the demand on diald-monitor fifo, the connection with
diald-connect script in /var/log/messages, the masqueradind connection
whith ipwadm -M -ln, but my PC doesn't establish the link and I get the
error message.
I see the dyn_address log in /var/log/message when my dynamic IP address
changes.
Second one :
When the connection is established, I look at the diald-monitor fifo, I
see some logs with my private addresses.
When I use tcpdump on the ppp0 interface I see some packets with my
private adresses too.
I think I should never see some addresses of my private network behind
the Masquerading.
Pretty strange, isn't it !
Can somebody help me and explain what's happening ?
------------------------
My configuration files :
------------------------
Gateway : Redhat 5.2 (Linux 2.0.36#1)
diald : 0.16.5
/etc/diald.conf
---------------
mode ppp
accounting-log /var/log/diald-acct.log
fifo /etc/diald/diald.ctl
connect "/etc/ppp/diald.connect"
device /dev/ttyS0
pppd-options debug kdebug 7
speed 115200
modem
lock
crtscts
local 192.168.254.1
remote 192.168.254.2
dynamic
defaultroute
redial-timeout 30
retry-count 2
up-delay 5
include /usr/lib/diald/local.filter
/usr/lib/diald/local.filter
---------------------------
# --- start of rule set proper ---
# When initiating a connection we only give the link 15 seconds
initially.
# The idea here is to deal with possibility that the network on the
opposite
# end of the connection is unreachable. In this case you don't really
# want to give the link 10 minutes up time. With the rule below
# we only give the link 15 seconds initially. If the network is
reachable
# then we will normally get a response that actually contains some
# data within 15 seconds. If this causes problems because you have a
slow
# response time at some site you want to regularly access, you can
either
# increase the timeout or remove this rule.
accept tcp 150 tcp.syn
# Keep named xfers from holding the link up
ignore tcp tcp.dest=tcp.domain
ignore tcp tcp.source=tcp.domain
# (Ack! SCO telnet starts by sending empty SYNs and only opens the
# connection if it gets a response. Sheesh..)
accept tcp 5 ip.tot_len=40,tcp.syn
# keep empty packets from holding the link up (other than empty SYN
packets)
ignore tcp ip.tot_len=40,tcp.live
# make sure http transfers hold the link for 2 minutes, even after they
end.
# NOTE: Your /etc/services may not define the tcp service www, in which
# case you should comment out the following two lines or get a more
# up to date /etc/services file. See the FAQ for information on
obtaining
# a new /etc/services file.
accept tcp 120 tcp.dest=tcp.www
accept tcp 120 tcp.source=tcp.www
# Once the link is no longer live, we try to shut down the connection
# quickly. Note that if the link is already down, a state change
# will not bring it back up.
keepup tcp 5 !tcp.live
ignore tcp !tcp.live
# an ftp-data or ftp connection can be expected to show reasonably
frequent
# traffic.
accept tcp 120 tcp.dest=tcp.ftp
accept tcp 120 tcp.source=tcp.ftp
#NOTE: ftp-data is not defined in the /etc/services file provided with
# the latest versions of NETKIT, so I've got this commented out here.
# If you want to define it add the following line to your /etc/services:
# ftp-data 20/tcp
# and uncomment the following two rules.
#accept tcp 120 tcp.dest=tcp.ftp-data
#accept tcp 120 tcp.source=tcp.ftp-data
# If we don't catch it above, give the link 10 minutes up time.
accept tcp 300 any
# Rules for UDP packets
#
# We time out domain requests right away, we just want them to bring
# the link up, not keep it around for very long.
# This is because the network will usually come up on a call
# from the resolver library (unless you have all your commonly
# used addresses in /etc/hosts, in which case you will discover
# other problems.)
# Note that you should not make the timeout shorter than the time you
# might expect your DNS server to take to respond. Otherwise
# when the initial link gets established there might be a delay
# greater than this between the initial series of packets before
# any packets that keep the link up longer pass over the link.
# Don't bring the link up for rwho.
ignore udp udp.dest=udp.who
ignore udp udp.source=udp.who
# Don't bring the link up for RIP.
ignore udp udp.dest=udp.route
ignore udp udp.source=udp.route
# Don't bring the link up for NTP or timed.
ignore udp udp.dest=udp.ntp
ignore udp udp.source=udp.ntp
ignore udp udp.dest=udp.timed
ignore udp udp.source=udp.timed
# Don't bring up on domain name requests between two running nameds.
#ignore udp udp.dest=udp.domain,udp.source=udp.domain
# Bring up the network whenever we make a domain request from someplace
# other than named.
accept udp 150 udp.dest=udp.domain
accept udp 150 udp.source=udp.domain
# Do the same for netbios-ns broadcasts
# NOTE: your /etc/services file may not define the netbios-ns service
# in which case you should comment out the next three lines.
ignore udp udp.source=udp.netbios-ns,udp.dest=udp.netbios-ns
accept udp 30 udp.dest=udp.netbios-ns
accept udp 30 udp.source=udp.netbios-ns
# keep routed and gated transfers from holding the link up
ignore udp tcp.dest=udp.route
ignore udp tcp.source=udp.route
# Anything else gest 2 minutes.
accept udp 120 any
# Catch any packets that we didn't catch above and give the connection
# 30 seconds of live time.
accept any 100 any
/etc/ppp/diald.connect
----------------------
/usr/sbin/chat -v \
TIMEOUT 3 \
ABORT '\nBUSY\r' \
ABORT '\nNO ANSWER\r' \
ABORT '\nRINGING\r\n\r\nRINGING\r' \
'' \rAT \
'OK-+++\c-OK' ATH0 \
TIMEOUT 30 \
OK 'AT&O95' \
OK 'AT&O0' \
OK 'AT&K3' \
OK ATD$TELEPHONE \
'CARRIER 64000' '' \
'PROTOCOL' '' \
'COMPRESSION' '' \
'CONNECT 64000' ''
Masquerading rules
------------------
ipfwadm -F -f
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "3" > /proc/sys/net/ipv4/ip_dynaddr
ipfwadm -F -p deny
for adr in 192.168.1.1 192.168.1.10 192.168.1.20
do
ipfwadm -F -a masquerade -W sl0 -P tcp -S $adr/32 -D 0.0.0.0/0
ipfwadm -F -a masquerade -W ppp0 -P tcp -S $adr/32 -D 0.0.0.0/0
ipfwadm -F -a masquerade -W sl0 -P udp -S $adr/32 -D 0.0.0.0/0
ipfwadm -F -a masquerade -W ppp0 -P udp -S $adr/32 -D 0.0.0.0/0
done
--
Gilles POLART-DONAT
Tel : 06 85 83 60 02
Fax : 01 69 35 50 51
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
