[CentOS] iptables: forwarding on internal device
Marcus Moeller
mm at gcug.de
Tue Feb 10 18:19:01 UTC 2009
Good Evening,
>> The strange thing is that it seems to be blocked by netfilter. I am
>> using exactly the same rules on a Slackware Box without any problems.
> ----
> Slackware is the Key here Marcus. The two distros have different modules
> built into the kernel by default and maybe a cause for why it is happening?
> But Honestly I don't see how you are ever going to forward packets and
> requests with the below rule. How are you going to come into and back out of
> the same interface? That's why it want traverse How about -i eth0 -o eth1 or
> -I eth0 -o eth0:0
As mentioned before, the ruleset is now activated correctly as
iptables -L shows:
0 0 ACCEPT all -- eth0 eth0 anywhere anywhere
state NEW,RELATED,ESTABLISHED
I must admit that it was not in my pastebin posts (my fault).
> -A FORWARD -i eth0 -o eth0 -m state --state \
> NEW,RELATED,ESTABLISHED -j ACCEPT
>
> When you use iptables save it does not save the the rules you just put into
> it! You will have to edit /etc/sysconfig/iptables-config:
>
> # Unload modules on restart and stop
> # Value: yes|no, default: yes
> # This option has to be 'yes' to get to a sane state for a firewall
> # restart or stop. Only set to 'no' if there are problems unloading
> netfilter
> # modules.
> IPTABLES_MODULES_UNLOAD="yes"
>
> # Save current firewall rules on stop.
> # Value: yes|no, default: no
> # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
> stopped
> # (e.g. on system shutdown).
> IPTABLES_SAVE_ON_STOP="yes"
>
> # Save current firewall rules on restart.
> # Value: yes|no, default: no
> # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
> # restarted.
> IPTABLES_SAVE_ON_RESTART="yes"
The rules are stored and activated with service iptables save (and all
other rules, e.g. routing into DMZ work fine)
I now begin to wonder if it's a routing issue and backroute problem as
the respone package may come from a different MAC address:
LAN1 -> LINUX_ROUTER -> LAN2
Response:
LAN2 -> CORE-ROUTER(with LINUX_ROUTER as default Gateway) ->
LINUX_ROUTER | BLOCKED | LAN1
This may be the case as the CORE-ROUTER was not part of the network in
good ol' slacky times.
Best Regards
Marcus
More information about the CentOS
mailing list