Good Evening, I am trying to forward packages on an internal device using iptables: /sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT but the packages are still blocked, e.g.: Feb 6 20:58:28 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.177 DST=172.28.2.184 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16609 PROTO=TCP SPT=7166 DPT=3590 WINDOW=0 RES=0x00 ACK RST URGP=0 net.ipv4.ip_forward = 1 is set, too. Best Regards Marcus
jgimer at gmail.com
2009-Feb-06 18:38 UTC
[CentOS] iptables: forwarding on internal device
What does your input and output chains show? Josh ------Original Message------ From: Marcus Moeller Sender: centos-bounces at centos.org To: CentOS mailing list ReplyTo: CentOS mailing list Sent: Feb 6, 2009 11:13 AM Subject: [CentOS] iptables: forwarding on internal device Good Evening, I am trying to forward packages on an internal device using iptables: /sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT but the packages are still blocked, e.g.: Feb 6 20:58:28 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.177 DST=172.28.2.184 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16609 PROTO=TCP SPT=7166 DPT=3590 WINDOW=0 RES=0x00 ACK RST URGP=0 net.ipv4.ip_forward = 1 is set, too. Best Regards Marcus _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos Sent via BlackBerry from T-Mobile
Dear Josh,> What does your input and output chains show? > > JoshI guess you mean the forward rules: ACCEPT all -- eth0 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED Best Regards Marcus
jgimer at gmail.com
2009-Feb-06 20:23 UTC
[CentOS] iptables: forwarding on internal device
What does Iptables -nL Show? ------Original Message------ From: Marcus Moeller Sender: centos-bounces at centos.org To: CentOS mailing list ReplyTo: CentOS mailing list Sent: Feb 6, 2009 1:15 PM Subject: Re: [CentOS] iptables: forwarding on internal device Dear Josh,> What does your input and output chains show? > > JoshI guess you mean the forward rules: ACCEPT all -- eth0 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED Best Regards Marcus _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos Sent via BlackBerry from T-Mobile
Filipe Brandenburger
2009-Feb-07 02:52 UTC
[CentOS] iptables: forwarding on internal device
Hi Marcus, On Fri, Feb 6, 2009 at 13:13, Marcus Moeller <mm at gcug.de> wrote:> I am trying to forward packages on an internal device using iptables: > > /sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state > NEW,RELATED,ESTABLISHED -j ACCEPTWhat is your network topology? How are the packages being routed and yet leaving through the same interface? Are you using supernetting? Or VLANs based on IP addresses? What are the IPs in your network interfaces?> but the packages are still blocked, e.g.: > Feb 6 20:58:28 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 > SRC=192.168.100.177 DST=172.28.2.184 LEN=40 TOS=0x00 PREC=0x00 TTL=127 > ID=16609 PROTO=TCP SPT=7166 DPT=3590 WINDOW=0 RES=0x00 ACK RST URGP=0>From the dump of the iptables it looks like it is reaching the my_drop chain.In your iptables output the interfaces for the rules do not show... It is also hard to read because lines are wrapped in the e-mail... Could you please run 'iptables -nvL' and post the output to http://pastebin.centos.org/, send us the link here? That might help diagnose your problem. Filipe
On Friday 06 February 2009 15:57, Marcus Moeller wrote:> ?Hi Again. > > ?> Iptables -nL > ?> > ?> Show? > > ?Here is the complete output (there are a lot of other rules active on > ?that machine):[snip] Your rule is not showing up. ?How did you set this rule up? If you added it to your firewall rules you need to restart the firewall. If you added it by hand then it must have spit out an error as it didn't take. -- Regards Robert Linux User #296285 http://counter.li.org
Good Morning,
iptables -L -v now shows:
0 0 ACCEPT all -- eth0 eth0 anywhere
anywhere state NEW,RELATED,ESTABLISHED
But the packages are still dropped:
Feb 9 10:48:20 firewall kernel: DROP-TCP IN=eth0 OUT=eth0
SRC=192.168.100.192 DST=172.28.2.161 LEN=44 TOS=0x00 PREC=0x00 TTL=59
ID=54 PROTO=TCP SPT=9100 DPT=4068 WINDOW=0 RES=0x00 ACK SYN URGP=0
Could it be that I have to enable something in proc to allow
forwarding on an internal device?
Best Regards
Marcus
> -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of Marcus Moeller > Sent: Monday, February 09, 2009 2:59 AM > To: CentOS mailing list > Subject: Re: [CentOS] iptables: forwarding on internal device > > Good Morning, > > iptables -L -v now shows: > > 0 0 ACCEPT all -- eth0 eth0 anywhere > anywhere state NEW,RELATED,ESTABLISHED > > But the packages are still dropped: > > Feb 9 10:48:20 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 > SRC=192.168.100.192 DST=172.28.2.161 LEN=44 TOS=0x00 PREC=0x00 TTL=59 > ID=54 PROTO=TCP SPT=9100 DPT=4068 WINDOW=0 RES=0x00 ACK SYN URGP=0 > > Could it be that I have to enable something in proc to allow > forwarding on an internal device? > > Best Regards > MarcusYes that would be correct Marcus echo it into /proc or in /etc/sysctl.conf would be # Controls IP packet forwarding net.ipv4.ip_forward = 1 JohnStanley
Hi again,> Yes that would be correct Marcus echo it into /proc or in /etc/sysctl.conf > would be > # Controls IP packet forwarding > net.ipv4.ip_forward = 1This is what I have done already. sysctl -p gives me: net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 4294967295 kernel.shmall = 268435456 The strange thing is that it seems to be blocked by netfilter. I am using exactly the same rules on a Slackware Box without any problems. Best Regards Marcus