CentOS - Feb 2008 - Making FORWARD_IPV4=YES permanent / DHCP multiple routers

First,

I'd like to configure my system to forward ip, to act as a gateway for 
my network.  I've always used a script during startup to do this:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${IP_NAT}

This works fine, however I want this permanent so I don't have to run 
the script on startup.  I have the firewall setup with SNAT fine, but 
when I write the file /etc/sysconfig/network with the line 
'FORWARD_IPV4=YES' it still doesn't enable the ip forwarding after
boot?

cat /proc/sys/net/ipv4/ip_forward
0

So how do I do this?


Second,
In DHCP, you can specify multiple DNS servers:

option domain-name-servers 10.0.0.1, 10.0.0.2, 10.0.0.3;

can you also do this with routers?

option routers 10.0.0.1 10.0.0.2;

so that if one is down, the network PC's can fail over to another?

Tim Alberts wrote:
> First,
> 
> I'd like to configure my system to forward ip, to act as a gateway for 
> my network.  I've always used a script during startup to do this:
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${IP_NAT}
> 
> This works fine, however I want this permanent so I don't have to run 
> the script on startup.  I have the firewall setup with SNAT fine, but 
> when I write the file /etc/sysconfig/network with the line 
> 'FORWARD_IPV4=YES' it still doesn't enable the ip forwarding
after boot?
> 
> cat /proc/sys/net/ipv4/ip_forward
> 0
> 
> So how do I do this?
> 
Modify /etc/sysctl.conf :
# Controls IP packet forwarding
net.ipv4.ip_forward = 1


CM

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Tim Alberts wrote:
> First,
>
> I'd like to configure my system to forward ip, to act as a gateway for 
> my network.  I've always used a script during startup to do this:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${IP_NAT}
>
> This works fine, however I want this permanent so I don't have to run 
> the script on startup.  I have the firewall setup with SNAT fine, but 
> when I write the file /etc/sysconfig/network with the line 
> 'FORWARD_IPV4=YES' it still doesn't enable the ip forwarding
after boot?
>
> cat /proc/sys/net/ipv4/ip_forward
> 0
>
> So how do I do this?
>
>
You want to modify the /etc/sysctl.conf file:

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

That change will take effect the next time the system is rebooted; or, 
you can type:

/sbin/sysctl -p

which will load the values specified in /etc/sysctl.conf immediately.

-Greg

On Tue, Feb 12, 2008 at 10:26:54AM -0800, Tim Alberts
wrote:
> So how do I do this?
edit /etc/sysctl.conf
> option routers 10.0.0.1 10.0.0.2;
Not as far as I know.

-- 
 /\oo/\
/ /()\ \ David Mackintosh | 
         dave at xdroop.com  | http://www.xdroop.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080212/3d7e04df/attachment.sig>

Tim Alberts wrote:
> option routers 10.0.0.1 10.0.0.2;
>
> so that if one is down, the network PC's can fail over to another?
no, but you could setup the two 'routers' with heartbeat and stuff so 
that if the 'active' router goes down, the standby router takes over.

Tim Alberts wrote:
> First,
>
> I'd like to configure my system to forward ip, to act as a gateway for
> my network.  I've always used a script during startup to do this:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${IP_NAT}
>   
For ip forwarding, edit /etc/sysctl.conf and make sure you have a line 
that says
net.ipv4.ip_forward = 1

For iptables, if you already have a working iptables config, just run:
service iptables save
This will create an /etc/sysconfig/iptables for you. Then make sure that 
the system loads up these rules on boot with:
chkconfig iptables on

Re: your dhcp question below...you can do what you list (the man page 
[man dhcp-options] and RFC2132 say they should be listed in order of 
preference) but the question really is, "What will the DHCP client do 
with multiple IPs in this option?" because I could see this behavior 
being inconsistent.

-Shawn
> This works fine, however I want this permanent so I don't have to run
> the script on startup.  I have the firewall setup with SNAT fine, but
> when I write the file /etc/sysconfig/network with the line
> 'FORWARD_IPV4=YES' it still doesn't enable the ip forwarding
after boot?
>
> cat /proc/sys/net/ipv4/ip_forward
> 0
>
> So how do I do this?
>
>
> Second,
> In DHCP, you can specify multiple DNS servers:
>
> option domain-name-servers 10.0.0.1, 10.0.0.2, 10.0.0.3;
>
> can you also do this with routers?
>
> option routers 10.0.0.1 10.0.0.2;
>
> so that if one is down, the network PC's can fail over to another?
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

Excellent and very responsive answers, thank you everyone.

Tim Alberts wrote:
> So how do I do this?
easiest way is to put it in /etc/rc.d/rc.local . I'm sure that's
not the "proper" way though.
> so that if one is down, the network PC's can fail over to another?
No PC will do that even if the DHCP server supported it. What you want
is VRRP, so the backup router will assume the IP and MAC address
of the failed router. There are other protocols that can accomplish
the same thing, OpenBSD uses pf carp, some older cisco gear have
HSRP. Lots of firewall vendors have their own proprietary protocols
for fail over. I run ESRP in my environment to provide layer 3
router fault tolerance as well as layer 2 loop prevention in a single
protocol(that doesn't require any protocols be installed on downstream
equipment unlike (R|M)STP)

nate