Thread: [In development] Brainstorm: MMS Support
View Single Post
allnameswereout's Avatar
allnameswereout is offline allnameswereout
2009-10-24 , 02:38
Posts: 3,397 | Thanked: 1,212 times | Joined on Jul 2008 @ Netherlands
#82
Originally Posted by cpitchford View Post
I must admit, there were two minor api changes in the module.. however.. and this is a big difference

eth0 1.2.3.4
ppp0 192.168.1.1 <-> 192.168.1.254

If the MMSC ip address is 1.2.3.4 you cannot (afaik) use iproute2 to instruct the system to route via 192.168.1 254 as it is treated locally. With the ipt_route module, you can.
I've done a lot of reading and testing and have come to the conclusion you're right. This means the removal of ipt_ROUTE was wrong.

Also found another alternative: RAW?NAT (xt_RAWDNAT & xt_RAWSNAT). It is also ugly though. Here is an example:

Code:
$ host -t a talk.maemo.org
talk.maemo.org is an alias for forums.internettablettalk.com.
forums.internettablettalk.com has address 74.86.202.247

$ ip route get 74.86.202.247
74.86.202.247 via 192.168.178.1 dev wlan3  src 192.168.178.33 
    cache  mtu 1500 advmss 1460 hoplimit 64
$ sudo ping -c 3 74.86.202.247
PING 74.86.202.247 (74.86.202.247) 56(84) bytes of data.
64 bytes from 74.86.202.247: icmp_seq=1 ttl=53 time=141 ms
64 bytes from 74.86.202.247: icmp_seq=2 ttl=53 time=138 ms
64 bytes from 74.86.202.247: icmp_seq=3 ttl=53 time=134 ms

$ sudo ifconfig wlan3:0 74.86.202.247 netmask 255.255.255.255
$ ip route get 74.86.202.247
local 74.86.202.247 dev lo  src 74.86.202.247 
    cache <local>  mtu 16436 advmss 16396 hoplimit 64
$ sudo ping -c 3 74.86.202.247
PING 74.86.202.247 (74.86.202.247) 56(84) bytes of data.
64 bytes from 74.86.202.247: icmp_seq=1 ttl=64 time=0.093 ms
64 bytes from 74.86.202.247: icmp_seq=2 ttl=64 time=0.073 ms
64 bytes from 74.86.202.247: icmp_seq=3 ttl=64 time=0.073 ms

$ ip addr ls ppp0
7: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp 
    inet 10.67.147.187 peer 10.6.6.6/32 scope global ppp0
$ sudo route add -host 10.67.147.188 gw 10.6.6.6
$ ip route ls dev ppp0
10.67.147.188 via 10.6.6.6 
10.6.6.6  proto kernel  scope link  src 10.67.147.187

$ sudo iptables -F -t raw ; sudo iptables -F -t rawpost ; sudo iptables -F -t nat ; sudo iptables -F -t mangle ; sudo iptables -F
$ sudo iptables -t raw -A PREROUTING -i ppp0 -s 74.86.202.247 -j RAWSNAT --to-source 10.67.147.188
$ sudo iptables -t raw -A OUTPUT -d 10.67.147.188 -j RAWDNAT --to-destination 74.86.202.247

$ ip route get 74.86.202.247
local 74.86.202.247 dev lo  src 74.86.202.247 
    cache <local>  mtu 16436 advmss 16396 hoplimit 64
$ sudo ping -c 3 74.86.202.247
PING 74.86.202.247 (74.86.202.247) 56(84) bytes of data.
64 bytes from 74.86.202.247: icmp_seq=1 ttl=64 time=0.090 ms
64 bytes from 74.86.202.247: icmp_seq=2 ttl=64 time=0.070 ms
64 bytes from 74.86.202.247: icmp_seq=3 ttl=64 time=0.077 ms

$ ip route get 10.67.147.188
10.67.147.188 via 10.6.6.6 dev ppp0  src 10.67.147.187 
    cache  mtu 1500 advmss 1460 hoplimit 64
$ sudo ping -c 3 10.67.147.188
PING 10.67.147.188 (10.67.147.188) 56(84) bytes of data.
64 bytes from 10.67.147.188: icmp_seq=1 ttl=42 time=403 ms
64 bytes from 10.67.147.188: icmp_seq=2 ttl=42 time=452 ms
64 bytes from 10.67.147.188: icmp_seq=3 ttl=42 time=431 ms

$ sudo -s
# echo 10.67.147.188 talk.maemo.org >> /etc/hosts
# exit
$ grep hosts /etc/nsswitch.conf 
hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
$ lynx -source talk.maemo.org | grep "meta name"
<meta name="generator" content="vBulletin 3.8.2" />
<meta name="keywords" content="internet tablet, nokia 770, nokia, 770, n800, n810, n900, maemo, maemo.org, linux, wifi, bluetooth" />
<meta name="description" content="talk.maemo.org" />
Using -t rawpost and -A POSTROUTING instead of -t raw -A OUTPUT did not make any difference for me.

This works even if you use your ppp0 IPv4 endpoint (but if IPv4 address exists local then it will not work if local IPv4 address already exists. Then you must use ip to add the route because route will give error SIOCADDRT: No such process maybe this can be overriden. If IPv4 address is added to local afterwards it won't matter.).

The only conflict is when ppp0's local IPv4 conflicts with something. If this is something local it won't matter. If its something remote it won't matter either (for us, that is) except it won't be reachable anymore. We could apply the same trick above (or -j ROUTE) as fix, but then on ppp0 and with an ISNOT statement on -m owner.

You provided an example (about tunnel endpoint) but tunnel endpoint is never reachable on PPP; you cannot ping it or access it.

You also forgot to specify -A, you put a space between -- and gw. Hence, what you intended to state was:

iptables -t mangle -A OUTPUT \
-m owner ! --uid-owner mms-service \
-j ROUTE --gw $my_default_gw --oif $my_internet_if
However you don't know for sure intended gw is default_gw. Given ppp0 and ppp1 is from same provider its more likely to conflict with wlan0 which may or may not be connected to Internet.

I don't think this rule would match tho. Remember PPP is tunnel between 2 addresses. Example:

$ ip route ls dev ppp0
10.6.6.6 proto kernel scope link src 10.66.15.69
If the source is not ppp_local_IPv4 then it won't fly over ppp0, and given only owner of MMS service will be routed and _nothing_ else it will work

All that said I don't see any advantage from -j RAW?NAT solution over -j ROUTE except that RAW?NAT is not experimental and is part of xtables.

Personally, I prefer your solution, and I'm sad -j ROUTE is deprecated because its clear it has its use.

[...]

Doing it through userspace as you mentioned could be a viable alternative.. netfilter lets you attack a packet *almost* prior to routing which means you can hit things that would resolve locally without serious routing.. iproute2 is pretty focused on the routing layer..
xtables are target extensions.

I'm doing exact opposite as you do: hitting after routing (output), and before routing (input).

BTW,

iptables -t nat -A POSTROUTING -d $remote_mmsc \
-m owner --uid-owner mms-service \
-j SNAT --to-source $my_local_mms_ip
Although PPP script knows the $my_local_mms_ip if --to-source is dynamic hence one should use -j MASQUERADE so it'd become

iptables -t nat -A POSTROUTING -d $remote_mmsc \
-m owner --uid-owner mms-service \
-j MASQUERADE
__________________
Goosfraba! All text written by allnameswereout is public domain unless stated otherwise. Thank you for sharing your output!
 

The Following User Says Thank You to allnameswereout For This Useful Post: