Bug 127994 - Fedora Core 2: packets are not forwarded when using iptables
Fedora Core 2: packets are not forwarded when using iptables
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-07-16 00:57 EDT by Jonathan Laub
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-16 11:32:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Laub 2004-07-16 00:57:19 EDT
Description of problem:
=======================
Using the Security Level helper application there is no means of
specifying packet forwarding between eth0(inside net) and
eth1(external net).  In addition, when /proc/sys/net../ip_forward is
set to '1', and ECN is disabled, forwarding does not occur unless
firewall is disabled and this custom script is used instead shown at
bottom.  Have also modified sysctl.conf to '1' as well to allow for
forwarding.  Did I miss anything??

Version-Release number of selected component (if applicable): Fedora
Core 2 - updated on all RPMS's.

How reproducible:  May be difficult?
=================
Steps to Reproduce:
===================
1. Set eth0 to 10.0.0.100, set eth1 to and external ip.
2. Echo 1 > /proc/sys/net/ipv4/ip_forward
3. Modify sysctl.conf changing ip_forwarding to '1' from '0'.
4. Sysctl -p, reboot.
5. Have tried to customize the /etc/sysconfig/iptables.conf generated
by the Security Level helper app and had no progress.  

Actual results: Forwarding does not occur.

Expected results:

Additional info: 
================
This is the only means of getting forwarding going quickly without
spending gobs of time trying to tweak ip_tables.conf.
*-<add snip>---------------------------------------------------------
#!/bin/bash
#
# chkconfig: 2345 08 92
# description:	Starts my custom ip_forwarding. 
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
echo "1" > /proc/sys/net/ipv4/ip_forward
ipt=/sbin/iptables
# Change this value to your EXTERNAL interface
ext=eth1
# Set policies
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done
$ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE
*--------------------------------------------------------------------
Comment 1 Thomas Woerner 2004-08-16 11:32:56 EDT
You want masquerading and not a simple forward. You can either save
your generated configuration with 'service iptables save', which will
overwrite /etc/sysconfig/iptables with the current firewall rules or
you can add 

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT

to your current /etc/sysconfig/iptables.

system-config-securitylevel does not support masquerading.

This is not a bug.
Comment 2 IBM Bug Proxy 2004-08-25 19:22:45 EDT
----- Additional Comments From linas@us.ibm.com(prefers email via linas@austin.ibm.com)  2004-08-25 19:22 -------
This patch *still* hasn't made it into mainline, even though they've been  
nagged on multiple occasions.  As a result, this patch is still not in  
RHEL4.  I guess I'll wait a bit longer and hope it makes it into mainline. 
Wish it didn't take 1.5 months for trivial patches to get into mainline :( 
  
 
I just source-code audited kernel-2.6.8-1.525.src.rpm    
obtained from    
http://people.redhat.com/~arjanv/2.6/SRPMS.kernel/ 
Comment 3 Thomas Woerner 2004-08-26 04:05:11 EDT
Which patch?
Comment 4 IBM Bug Proxy 2004-09-19 12:20:20 EDT
----- Additional Comments From khoa@us.ibm.com  2004-09-19 12:17 EDT -------
I'd like to move this bug into Submitted state (following our new bugzilla
process) as this patch has been submitted to both mainline and Red Hat.

Red Hat - we need confirmation if this patch will make beta2. Thanks. 
Comment 5 Thomas Woerner 2004-09-29 12:01:07 EDT
I think you have committed this to the wrong bugzilla entry, right?

Note You need to log in before you can comment on or make changes to this bug.