I've used Slackware's ppp setup for a long time and it works fine for my network.
There are two scripts, ppp-go and ppp-off to bring up/down a ppp link. When I connect
to the Net, I run an iptables firewall script, fetchmail and maildirsmtp from ip-up.
My network consists of a firewall/gateway and two client machines.
I recently tried using gnome-ppp to dial up, run from the gateway PC, but have had
mixed results. Although I can get connected using it and all my ip-up scripts still
run, I can't access the same range of websites. If I try to access Google,
everything's fine. BBC News or CNN don't want to know. However, I can still access
those sites from the gateway machine, so I think just the clients are affected. So,
maybe my firewall is missing something.
Though I'm confused as to why my non-gnome-ppp setup works fine. I've included here,
my gnome-ppp configuration, and extract of my firewall script, with hopefully the
relevant stuff and a tcpdump of what happens when I try to connect to an unresponsive
site. I'm guessing it's something to do with ICMP traffic and/or MTU/MRU size, but I'm
not sure.
See attachment for the firewall script, gnome-ppp config, etc. Any ideas
gratefully appreciated.
tcpdump -i ppp0 -l | grep -v ssh
(64.236.24.12 is the remote site, 80.1.1.118 is my ISP assigned IP
192.168.0.3 is the client machine)
--
22:51:36.053432 64.236.24.12 192.168.0.3: icmp: ip reassembly time exceeded [tos
0xc0]
22:51:39.033439 64.236.24.12 80.1.1.118: icmp: ip reassembly time exceeded [tos
0xc0]
22:51:39.043426 64.236.24.12.http 80.1.1.118.32771: F 2242852752:2242852752(0) ack
2214421282 win 5840
22:51:42.013411 64.236.24.12.http 80.1.1.118.32771: F 0:0(0) ack 1 win 5840
...
...
22:52:24.558725 80.1.1.118.32772 64.236.24.12.http: S 2303892855:2
win 5840 mss 1460,sackOK,timestamp 130895 0,nop,wscale 0
22:52:24.813426 64.236.24.12.http 80.1.1.118.32772: S 2313633545:2
ack 2303892856 win 5840 mss 1460
22:52:24.814204 80.1.1.118.32772 64.236.24.12.http: . ack 1 win 58
22:52:24.815231 80.1.1.118.32772 64.236.24.12.http: . 1:253(252) a
0 (frag 6825:272@0+)
22:52:24.815351 80.1.1.118 64.236.24.12: (frag 6825:260@272)
22:52:24.815636 80.1.1.118.32772 64.236.24.12.http: P 513:527(14)
40
22:52:25.163422 64.236.24.12.http 80.1.1.118.32772: . ack 1 win 58
22:52:27.808954 80.1.1.118.32772 64.236.24.12.http: . 1:253(252) a
0 (frag 6827:272@0+)
22:52:27.809153 80.1.1.118 64.236.24.12: (frag 6827:260@272)
gnome-ppp configuration
---
ISP - virgin
Modem device - ttyS1
Connection speed - 115200
Modem init - ATFM0W2
Authentication - CHAP
Local IP address, Netmask, Remote IP - dynamic
DNS Server - 192.168.0.1
Search domain - koby.freeuk.com (my internal domain)
Script - left blank
Add Default Route - yes
Lock Dialout Device - yes
MTU - 296
MRU -296
Run Program After Connect/Disconnect - blank
rc.firewall - run once link is up
-
IPADDR= (local address of ppp0 interface, assigned by ISP)
LOCALNET=192.168.0.0/24
INTERNAL_INTERFACE=eth0
EXTERNAL_INTERFACE=ppp0
# Enable rp_filter
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 $i;
done
fi
# Ignore any broadcast icmp echo requests
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
# Enable IP forwarding
echo 1 /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# Unlimited loopback access
$IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK -j ACCEPT
# Local network access
$IPTABLES -A INPUT -i $INTERNAL_INTERFACE -p all -s $LOCALNET \
-d $LOCAL_IP -j ACCEPT
$IPTABLES -A OUTPUT -o $INTERNAL_INTERFACE -p all -s $LOCAL_IP \
-d $LOCALNET -j ACCEPT
# Outgoing (established)
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -m state \
--state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNAL_INTERFACE -m state \
--state RELATED,ESTABLISHED -j ACCEPT
# Incoming (established)
# ACCEPT packets which are related to an established connection.
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -m state --state \
RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -m state --state \
RELATED,ESTABLISHED -j ACCEPT
# Flush the NAT table
$IPTABLES -F -t nat
# Source NAT -- (SNAT/Masquerading)
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -s $LOCALNET \
-j MASQUERADE
# ICMP
# Echo Reply (pong) 0
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Destination Unreachable 3
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \
-j ACCEPT
# Echo Request (ping) 8
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j