Every time my home router (running Attitude Adjustment) gets a new IP address from its pppoe connection, all existing NAT'ed TCP connections Is there some way to make it so that when the WAN gets a new IP address, all outstanding TCP connections that rely on the old IP address get an
Can you... by any changce... add something to the pppoe-up or equivalent script... so that, the iptables connection-tracking table is 'flushed' when that has happened. ? Then... You could change the iptables "FORWARD" rules (in the default filter table) so that:- * TCP connections in conntrack state ESTABISHED,RELATED jump immediately to accept. * remaining TCP packets (i.e. NEW) are allowed if they are a "syn" (i.e. trying to open a new connections basically). -- there is some option for that, syn set and ack unset or somesuch... * otherwise, "NEW", non-syn TCP packets are then set on a policy of "REJECT --reject-with tcp-reset" ... This way, if you get it all right, as soon as any packet arrives that doesn't relate to a new-to-setup connection (I.e. an old one with wrong NAT mapping!!), it immediately is "reset" -- that won't be immediate though you can change the tcp_keepalive_time and the like on end hosts if it matters. But, you'd need to get familiar with iptables, and figure out how to 'flush/expire' the netfilter/iptables conntrack table in the kernel... Might just be do-able, though. Good luck! --Simon _______________________________________________ openwrt-users mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
