ip forwarding and iptables

steve crosby steve.crosby at gmail.com
Mon May 15 23:14:03 PDT 2006


On 5/16/06, Andrew Benton <b3nt at ukonline.co.uk> wrote:
> Angel Tsankov wrote:
> > I have 2 PCs: one configured as gateway (PC1) and the other one (PC2)
> > configured to use PC1 as gateway. PC1 runs a LFS. It has ip forwarding
> > enabled (e.g. by echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf).
> > As far as I understand, I do not need to do anything else to make the
> > kernel route traffic to and from PC2, right?
>
> No, you need to use iptables to handle NAT/masquerading
>

Although this is the wrong forum (BLFS is where you need to ask these
questions, as Andy pointed out), I thought I'd correct some of the
statements for the archives.

============

Enabling the ip_forwarding sysctl turns your PC1 into a router. If one
of the networks that PC1 is connected to is the Internet, then there
may be additional work involved on PC1 to allow traffic to enter and
exit the Internet network properly (such as NAT).

This depends on your network configuration, target networks, routers
and address space, so can't be answered as a simple yes or no.

> > However, if I have one PC more - PC3, and I do not wnat to route traffic
> > to and from it I need to configure the kernel, e.g. with
> > the help of iptables. Now if I do so, i.e. use iptables to configure the
> > kernel, save the iptables configuration, setup the system
> > to reload it at startup (using the init.d scripts), is there any moment
> > (during system startup) when ip forwarding has been enabled
> > but the iptables configuration has not yet been loaded and traffic could
> > be routed to and from PC3?
>
> No, without iptables nothing would be forwarded. If you're worried about
> it then don't do the
> echo 1 > /proc/sys/net/ipv4/ip_forward
> until after you've set your firewall rules.

Yes. Once ip_forwarding has been turned on, your PC1 is a router, and
will happily deliver traffic from and from any machines. Whether or
not the traffic does anything, can get a response or is routed
correctly may depend on additional configuration however.

The correct solution is to enable ip_forwarding only after you have
made any additional configuration changes to your PC1 networking (such
as iptables, etc).

-- 
-- -
Steve Crosby



More information about the lfs-support mailing list