topic Re: IP forwarding in Linux in Operating System - Linux

IP forwarding in Linux

Shyam Sundar — Sat, 10 Aug 2002 08:48:40 GMT

Hello,

We have a cluster setup with NIS configured on it. All nodes run Redhat linux (7.3)

The master node has 2 NIC's, one with the IP of 3.212.228.220(eth0) and the other with 192.168.1.1(eth1), the default gateway for the system is 3.212.228.96

All the other nodes in the cluster has one NIC and act as NIS clients with their IP range in 192 series and default gateway as 192.168.1.1

Now from all the clients we are able to ping to 3.212.228.220 (eth0 of master node). But at the same time we are not able ping to other resources of 3.212.228.X network, even all nodes don't ping 3.212.228.96 (which is the default gateway of master node).

In the 3.212.228.96 router, return path is defined properly.

In this scenario, on the master node, whether IP forwarding should be enabled from 192.168.1.1 to 3.212.228.220?
If so, please guide me as how to do the same.

If there is anything else, which has to be done to access 3.212.228.X network from all clients, please advice.

Thanks & Regards,
Shyam

Re: IP forwarding in Linux

Ron Kinner — Sat, 10 Aug 2002 11:15:04 GMT

You need IP forwarding ON.
You will need NAT (masquerading) if you want them to go to the internet.
You may have to open up your IPchains firewall to allow packets to pass.
Resources on the 3.212.228 LAN will need to know about the 192.168.1 LAN. Which means They must have a route pointing back through the Master Node for this LAN if you do not use NAT.

http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/TXT/TrinityOS.txt

Tells you more than you will ever want to know about this.

Ron

Re: IP forwarding in Linux

melvyn burnard — Mon, 12 Aug 2002 06:19:52 GMT

so why put this under HP-UX forum?

Moving it to linux forum

Re: IP forwarding in Linux

Kodjo Agbenu — Mon, 12 Aug 2002 18:09:27 GMT

Hello,

At home, I use iptables for doing this.

Here is an abstract of my /etc/rc.d/rc.local file :

# -----
# Initialization
# * Flush all built-in chains
# * Delete all user-defined chains
# * Set the default policy : drop all input packets
# -----

DNS_SERVERS="IP_DNS_1 IP_DNS_2 ..."

iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

echo "0" >/proc/sys/net/ipv4/ip_forward

iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -t nat -P OUTPUT DROP

# -----
# Allow traffic that seems "normal"
# -----

iptables -t filter -A INPUT -i eth1 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

for dns in ${DNS_SERVERS}
do
iptables -t filter -A INPUT -i eth0 -p udp --sport 53 -d ${dns} -j ACCEPT
done

iptables -t filter -A FORWARD -i eth1 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A OUTPUT -j ACCEPT

iptables -t nat -A PREROUTING -j ACCEPT
iptables -t nat -A POSTROUTING -j ACCEPT
iptables -t nat -A OUTPUT -j ACCEPT

# -----
# Masquerade outgoing traffic
# -----

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo "1" >/proc/sys/net/ipv4/ip_forward

exit 0

Of course you may want more security, particularly maybe to log all "bad" packets. Feel free to adapt these rules to your configuration.

Good luck.

Kodjo