Script not always called?

The_Great_Sephiroth · Posted: Mon Aug 17, 2015 2:23 am Post subject: Script not always called?

I have a script in /etc/ppp/ip-up.d and another in /etc/ppp/ip-down.d to modify iptables rules for VPN connections. Below are the scripts.

This script sets up the firewall rule when a VPN connection is formed.

Hu · Moderator Joined: 06 Mar 2007 Posts: 21633

What happens if you run it by hand with the correct arguments? Why are you adding and removing the rules at all? Is the interface name unpredictable?

The_Great_Sephiroth · Posted: Tue Aug 18, 2015 2:35 pm Post subject:

It works flawlessly if I run it manually. The script to add the rules ALWAYS works. The reason that I do this is to allow ALL traffic on a PPP interface. I only use PPP for VPN connections to my office or a client location, so I am on a secure network. In other words, when a PPP connection comes up, I do not want it filtered by iptables. When it goes down I need to remove the rules. The interfaces show up as ppp<x> for my VPN connections.
_________________
Ever picture systemd as what runs "The Borg"?

Hu · Moderator Joined: 06 Mar 2007 Posts: 21633

I understand that you need special rules for PPP traffic. I do not understand why you cannot leave those rules loaded indefinitely, and let them be ignored when there is no PPP interface. If your VPN links are always named pppN, you can use the wildcard interface name ppp+ in iptables to match all VPN links.

The_Great_Sephiroth · Posted: Wed Aug 19, 2015 1:58 pm Post subject:

I have had issues in the past where setting a rule for a non-existent interface would throw/log a warning or even not work. This may not be the case now, but here is another reason to solve this: It is not working. Something is broken and I am not sure what it is. All of the scripts in ip-up.d get called, so why do the ones in ip-down.d only get called when the system feels like it? This is an issue. While I may have a workaround now, others may need this functionality.
_________________
Ever picture systemd as what runs "The Borg"?

steveL · Posted: Wed Aug 19, 2015 4:33 pm Post subject:

Are you sure your script is marked executable?

We can get to the scripting part after you've got it reliably invoked.

The_Great_Sephiroth · Posted: Thu Aug 20, 2015 1:08 pm Post subject:

The script is marked 755, executable. Note that the script logs everything, so I only have to grep for the phrase "VPN DEBUG". It simply does not appear to always get called. I did take Hu's advice and modified my firewall as follows.

The_Great_Sephiroth · Posted: Tue Aug 25, 2015 1:04 pm Post subject:

So nobody can explain why the script(s) in /etc/ppp/ip-down.d/ are not being called every time a PPP device is removed?
_________________
Ever picture systemd as what runs "The Borg"?

mv · Watchman Joined: 20 Apr 2005 Posts: 6747

The calling of the scripts is not directly related to the interface going up or down.
The scripts are actually called by pppd. So, for instance, if pppd dies unexpectedly or is killed, the scripts are not called. Similarly, if something else than pppd brings up or down the interface.

The_Great_Sephiroth · Posted: Wed Aug 26, 2015 7:34 pm Post subject:

That explains it. Some clients use Watchguard routers which do PPTP VPN. For some reason a few of these will cause pppd to just disappear (terminate?) the first time you try connecting. Trying a second time and every time afterwards works. Thanks for the info!
_________________
Ever picture systemd as what runs "The Borg"?