Description of problem: ======================= Using the Security Level helper application there is no means of specifying packet forwarding between eth0(inside net) and eth1(external net). In addition, when /proc/sys/net../ip_forward is set to '1', and ECN is disabled, forwarding does not occur unless firewall is disabled and this custom script is used instead shown at bottom. Have also modified sysctl.conf to '1' as well to allow for forwarding. Did I miss anything?? Version-Release number of selected component (if applicable): Fedora Core 2 - updated on all RPMS's. How reproducible: May be difficult? ================= Steps to Reproduce: =================== 1. Set eth0 to 10.0.0.100, set eth1 to and external ip. 2. Echo 1 > /proc/sys/net/ipv4/ip_forward 3. Modify sysctl.conf changing ip_forwarding to '1' from '0'. 4. Sysctl -p, reboot. 5. Have tried to customize the /etc/sysconfig/iptables.conf generated by the Security Level helper app and had no progress. Actual results: Forwarding does not occur. Expected results: Additional info: ================ This is the only means of getting forwarding going quickly without spending gobs of time trying to tweak ip_tables.conf. *-<add snip>--------------------------------------------------------- #!/bin/bash # # chkconfig: 2345 08 92 # description: Starts my custom ip_forwarding. # # config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config echo "1" > /proc/sys/net/ipv4/ip_forward ipt=/sbin/iptables # Change this value to your EXTERNAL interface ext=eth1 # Set policies $ipt -P INPUT ACCEPT $ipt -P FORWARD ACCEPT $ipt -P OUTPUT ACCEPT # Delete table rules, chains and counters for table in filter nat mangle do $ipt -t $table -F # flush $ipt -t $table -X # delete $ipt -t $table -Z # zero done $ipt -t nat -A POSTROUTING -o $ext -j MASQUERADE *--------------------------------------------------------------------
You want masquerading and not a simple forward. You can either save your generated configuration with 'service iptables save', which will overwrite /etc/sysconfig/iptables with the current firewall rules or you can add *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth1 -j MASQUERADE COMMIT to your current /etc/sysconfig/iptables. system-config-securitylevel does not support masquerading. This is not a bug.
----- Additional Comments From linas.com(prefers email via linas.com) 2004-08-25 19:22 ------- This patch *still* hasn't made it into mainline, even though they've been nagged on multiple occasions. As a result, this patch is still not in RHEL4. I guess I'll wait a bit longer and hope it makes it into mainline. Wish it didn't take 1.5 months for trivial patches to get into mainline :( I just source-code audited kernel-2.6.8-1.525.src.rpm obtained from http://people.redhat.com/~arjanv/2.6/SRPMS.kernel/
Which patch?
----- Additional Comments From khoa.com 2004-09-19 12:17 EDT ------- I'd like to move this bug into Submitted state (following our new bugzilla process) as this patch has been submitted to both mainline and Red Hat. Red Hat - we need confirmation if this patch will make beta2. Thanks.
I think you have committed this to the wrong bugzilla entry, right?