Good day everyone. Today has been "one of those..." days. So I have a feeling this is just a brain lapse here. At any rate, I am setting up a firewall/router using centos 4.4 (minimal install, yummed up to date). I have in fact enables V4 ip forwarding (by editing /etc/sysctl.conf) and rebooted the system. I use fwbuilder for my rules, and at this point have a next to nothing set of rules. a DHCP server is also residing on this router. Now the firewall can get pings back from various sources on the net by IP and by host name. The firewall can also ping the workstations, and the workstations can ping hte firewall (VIA the internal IP). The work stations are in fact getting proper IP info from the DHCP server (I have released and renewed it many times as well as rebooted). Now the issue is, I can not get out of the internal network to the internet for any traffic. Pings (by ip and name), web sites, etc. It "seems" like the traffic is not being forwarded, but I have run the following command to confirm the ip forwarding is on: # cat /proc/sys/net/ipv4/ip_forward And I do in fact have a "1" in there. Did I miss one little step somewhere? I have set these things up before without issue, so I suspect I am over looking a little step here. Ideas?
On 22/02/07, Dustin Krysak <d.k.emaillists at gmail.com> wrote:> Good day everyone. Today has been "one of those..." days. So I have a > feeling this is just a brain lapse here. > > At any rate, I am setting up a firewall/router using centos 4.4 > (minimal install, yummed up to date). > > It "seems" like the traffic is not being forwarded, but I have run the > following command to confirm the ip forwarding is on: > > # cat /proc/sys/net/ipv4/ip_forward > > And I do in fact have a "1" in there.Is the firewall NATing outbound traffic? If you can, can you stop iptables and just see if simple IP routing is working as expected? If you tcpdump all traffic for a little used port on both interfaces, then try telneting out to that port on an external host, does the packet appear on the external interface? What do the routing tables look like? Just a few suggestions. Will.
Dustin Krysak wrote:> Good day everyone. Today has been "one of those..." days. So I have a > feeling this is just a brain lapse here. > > At any rate, I am setting up a firewall/router using centos 4.4 > (minimal install, yummed up to date). > > I have in fact enables V4 ip forwarding (by editing /etc/sysctl.conf) > and rebooted the system. I use fwbuilder for my rules, and at this > point have a next to nothing set of rules. a DHCP server is also > residing on this router. > ... > Now the issue is, I can not get out of the internal network to the > internet for any traffic. Pings (by ip and name), web sites, etc.sounds like you're trying to do a 'NAT' (network address translation) network, where you're local network is on private IP space (192.168.x.y or 10.x.x.x or whatever), and you're sharing a single public IP. this requires several very specific and moderately complex rules to implement what Linux calls 'MASQUERADE', and you need to load the ip_conntrack module into the kernel, and probably a few more. at a BARE minimum, you need some variant on these two rules... iptables --table nat --append POSTROUTING --out-interface $WAN -j MASQUERADE iptables --append FORWARD --in-interface $LAN -j ACCEPT (where $WAN, $LAN are eth0, eth1, or whatever your internet and local interfaces are) if you google for: LINUX MASQUERADE, you'll find all sorts of confusing info on this :)