ip forwarding and iptables

Andrew Benton b3nt at ukonline.co.uk
Mon May 15 15:34:28 PDT 2006

Angel Tsankov wrote:
> I have 2 PCs: one configured as gateway (PC1) and the other one (PC2) 
> configured to use PC1 as gateway. PC1 runs a LFS. It has ip forwarding 
> enabled (e.g. by echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf).
> As far as I understand, I do not need to do anything else to make the 
> kernel route traffic to and from PC2, right?

No, you need to use iptables to handle NAT/masquerading

> However, if I have one PC more - PC3, and I do not wnat to route traffic 
> to and from it I need to configure the kernel, e.g. with
> the help of iptables. Now if I do so, i.e. use iptables to configure the 
> kernel, save the iptables configuration, setup the system
> to reload it at startup (using the init.d scripts), is there any moment 
> (during system startup) when ip forwarding has been enabled
> but the iptables configuration has not yet been loaded and traffic could 
> be routed to and from PC3?

No, without iptables nothing would be forwarded. If you're worried about 
it then don't do the
echo 1 > /proc/sys/net/ipv4/ip_forward
until after you've set your firewall rules.
Ask about iptables on BLFS Support. This complicated subject is beyond LFS.


