IP forwarding problems?

[miller65ghg]

Hi,

I have a RH7 Linux box with two NICs that I eventually would like to use as a firewall. For the present however, I'm just trying to get an inside network (at this point only one workstation) talking thru the Linux box to the outside world. This is my first attempt at anything of this nature, so the process and learing curve have been excruciating slow. I have both NICs (eth0, eth1) installed and configured, and can ping the IPs associated with each from the outside world. eth0 goes to the outside, eth1 serves the inside. For testing purposes I added a host route pointing to eth0. This inside network host can ping the Linux box (and vice-versa), but it cannot ping anything beyond the Linux box. And, of course, outside going in, any host on the outside network can ping the Linux box (and vice-versa), but cannot ping beyond the Linux box to the one host on the inside network.

I'm very new at this, but it seems to me that the two NICs aren't communicating with one another, or simply aren't passing packets to each other. I've been reading on IP forwarding, and so did the following:

echo 1 > /proc/sys/net/ip4/ip_forward

If I cat the file I do get a "1".

Also, I edited /etc/sysctl.conf as follows:

net.ipv4.ip_forward = 1

I then ran /sbin/service network restart , which gave me the following output:

Shutting down interface eth0: [ OK ]
Shutting down interface eth1: [ OK ]
Disabling IPv4 packet forwarding: [ OK ]
Setting network parameters: [ OK ]
Bringing up interface lo: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth1: [ OK ]

For some reason, the IPv4 forwarding is being disabled. Dont' know why this is occuring. Does anyone have any suggestions? Am I on the right/wrong track?

Thank you,

Mark

 

[GoldenEternity]

You need to set up an ipchains forward rule to MASQ connections.

 

[miller65ghg]

Okay. I'll read up on ipchains and masquerading. Will this also solve the problem of:

Disabling IPv4 packet forwarding: [ OK ]

which I get when I restart network services?

Thank you,

Mark

 

[GoldenEternity]

When you bring down the network, it disables ip forwarding. But when you bring it back up it runs sysctl (that's when it displays Setting network parameters). This should re-enable ip forwarding.

Try restarting the network, then cat
/proc/sys/net/ip4/ip_forward. It should be '1'.

 

[miller65ghg]

Ah. I see now. The "Disabling IPv4 packet forwarding" was simply part of network shutdown. Yes, if I cat ip_forward I do get a "1". So now it's on to ipchains and masq. Cross my fingers.

Thank you,

Mark

 

[miller65ghg]

GoldenEternity, et al.,

I'm reading up on the ipchains HOWTO -- in this case:

http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-2.html#ss2.3

and it makes reference to the following configuration options for 2.1/2.2 series kernels:

CONFIG_FIREWALL=y
CONFIG_IP_FIREWALL=y

Into which file should they be placed?

Thank you,

Mark

 

[timsr]

You might want to get a little help with the forwarding by using a firewall package such as pmfirewall. It's free and steps you through the entire process of building a firewall including ipforwarding. The files can be modified manually at anytime, or you can run through the installation process once more. The advantage is that you can learn more by example than trying to struggle through sometimes. Good luck!

 

[miller65ghg]

Timsr,

Thank you. I'll take a look at it.

Mark

 

[GoldenEternity]

miller, those lines you were asking about yesterday were part of the kernel configuration, which uses /usr/src/linux/.config to store its configuration for the build.

If you're using a kernel that came with your distro, they generally have the settings you will need already built in.

 

[miller65ghg]

GoldEter, Timsr, et al.

This routing task has not been easy. Your help is most welcome and appreciated. I still cannot get any packets to forward between my two NICs. For some background:

Running RH7

# uname -r
2.2.16-22

# ipchains --version
ipchains 1.3.9, 17-Mar-1999

# cat /etc/sysconfig/network
FORWARD_IPV4=yes

also
# cat /etc/sysctl.conf
net.ipv4.ip_forward = 1

Regarding ipchains, my policies for input, forward, output are all ACCEPT. I know this is very wide open and persmissive, but right now I'm just trying to make it as easy as possible to get the two NICs to talk to one another.

eth0 leads to the Internet.

eth1 leads to a test internal network, right now consisting of only one machine.

I do not need MASQ, as we have a our own Class C. The Linux box will act mainly as a router but later as a firewall, too. Right now, I'm just trying to get the routing to work.

So,

# ipchains -F
# ipchains -L
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

Then, I did (of course, 11.22.33.44 not the real IP):

# ipchains -A input -i eth1 -s 11.22.33.44 -j ACCEPT
# ipchains -A forward -i eth0 -s 11.22.33.44 -j ACCEPT
# ipchains -A output -i eth0 -s 11.22.33.44 -j ACCEPT

# ipchains -A input -i eth0 -s 0/0 -d 11.22.33.44 -j ACCEPT
# ipchains -A forward -i eth1 -s 0/0 -d 11.22.33.44 -j ACCEPT
# ipchains -A output -i eth1 -s 0/0 -d 11.22.33.44 -j ACCEPT

To save more verbage, if I do ipchains -L, standard output show the previous commands took.

I still cannot ping past my Linux box. The box can ping the internal machine and an outside network, but inside cannot ping outside, and vice-versa.

I'm I missing some important step here? I have poured over Rusty Russell's IPCHAINS-HOWTO, but I am at a loss. BTW, ifconfig -a shows both interfaces up and running, each with their own unique IP addr and IRQ.

Thank you,

Mark

 

[StarTAC]

i would suggest that u download pmfirewall from PointMan's

http://www.pmfirewall.com

web site... this tar.gz requires u have IPCHAINS already installed, which i see u do.. from then on, just unpack the pmfirewall tar.gz... u can then run the install script using the command:

sh install.sh

this will take u through a series of prompts, confirming IPCHAINS exists, and its location, and then configure ports to open for servers.. e.g FTP, DNS, HTTP.. etc... from there on it will come to the most important part... it will ask u whether this will machine will act as a maquerading box.... confirm yes... and remember to ask the system to detect both your IP addresses..... u can then reboot after that....

the configuration file where u can make any changes to pmfirewall is in /usr/local/pmfirewall/pmfirewall.rules.local

remember to follow the format there, making changes as necessary.. and then restart pmfirewall using the command...

/etc/rc.d/pmfirewall restart

u should be up and running from thereon..

AKNIT

 

[mengu]

When i setup my redhat 7 box i could not ping through it either, but apparently rh7's kernel doesnt allow you to ping through for some weird reason, but when i tried to access the network with for example netscape it worked just fine. So give it a try, your routing might already work and you dont even know about it, thats what happened to me at least, spent three days trying to ping through it but it never worked.

 

[marsd]

Check proc/sys/net/ipv4/icmp_echo_ignore_all = 0
Check that the other icmp settings are correct.

for temp purposes you could try:

ipchains -A forward -i eth1 -s 0/0 -d 0/0 -j ACCEPT
ipchains -A forward -i eth0 -s 0/0 -d 0/0 -j ACCEPT

remember routing is between networks, not between hosts,
so your rules are suspect.

 

[elvism]

Please check the /etc/sysconfig/network file and ensure it has the following line:

FORWARD_IPV4=yes

This should fix the problem with the "Disabling IPv4 packet forwarding" message.