Good Evening,
I am trying to forward packages on an internal device using iptables:
/sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
but the packages are still blocked, e.g.:
Feb 6 20:58:28 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.177 DST=172.28.2.184 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16609 PROTO=TCP SPT=7166 DPT=3590 WINDOW=0 RES=0x00 ACK RST URGP=0
net.ipv4.ip_forward = 1
is set, too.
Best Regards Marcus
Hi Marcus,
On Fri, Feb 6, 2009 at 13:13, Marcus Moeller mm@gcug.de wrote:
I am trying to forward packages on an internal device using iptables:
/sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
What is your network topology? How are the packages being routed and yet leaving through the same interface? Are you using supernetting? Or VLANs based on IP addresses?
What are the IPs in your network interfaces?
but the packages are still blocked, e.g.: Feb 6 20:58:28 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.177 DST=172.28.2.184 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16609 PROTO=TCP SPT=7166 DPT=3590 WINDOW=0 RES=0x00 ACK RST URGP=0
From the dump of the iptables it looks like it is reaching the my_drop chain.
In your iptables output the interfaces for the rules do not show... It is also hard to read because lines are wrapped in the e-mail... Could you please run 'iptables -nvL' and post the output to http://pastebin.centos.org/, send us the link here? That might help diagnose your problem.
Filipe
Dear Filipe,
On Fri, Feb 6, 2009 at 13:13, Marcus Moeller mm@gcug.de wrote:
I am trying to forward packages on an internal device using iptables:
/sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
What is your network topology? How are the packages being routed and yet leaving through the same interface? Are you using supernetting? Or VLANs based on IP addresses?
The packages should be routed through the internal physical interface (eth0). I am not using VLans nor supernetting on that
What are the IPs in your network interfaces?
The IP configuration on that interface looks like:
NETMASK=255.255.255.0 IPADDR=192.168.100.254
And I have added the following route to it:
172.28.0.0/16 via 192.168.100.100
As you may have read in one of my previous posts, the packages seems to be routed correctly but are blocked by netfilter.
Here is my iptables-config:
http://pastebin.centos.org/23906
but the packages are still blocked, e.g.: Feb 6 20:58:28 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.177 DST=172.28.2.184 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16609 PROTO=TCP SPT=7166 DPT=3590 WINDOW=0 RES=0x00 ACK RST URGP=0
From the dump of the iptables it looks like it is reaching the my_drop chain.
In your iptables output the interfaces for the rules do not show... It is also hard to read because lines are wrapped in the e-mail... Could you please run 'iptables -nvL' and post the output to http://pastebin.centos.org/, send us the link here? That might help diagnose your problem.
Here is the output of iptables -nvL
http://pastebin.centos.org/23909
and here the active ruleset:
http://pastebin.centos.org/23912
Best Regards Marcus
Hi Marcus,
I looked at your iptables output at pastebin.
I don't see any rules like the one you mentioned on your first post:
/sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Could you double check that and add the rule if it is missing?
Thanks, Filipe
On Friday 06 February 2009 15:57, Marcus Moeller wrote:
Hi Again.
> Iptables -nL > > Show?
Here is the complete output (there are a lot of other rules active on that machine):
[snip]
Your rule is not showing up. How did you set this rule up? If you added it to your firewall rules you need to restart the firewall. If you added it by hand then it must have spit out an error as it didn't take.
2009/2/7 Robert Spangler mlists@zoominternet.net:
On Friday 06 February 2009 15:57, Marcus Moeller wrote:
Hi Again.
Iptables -nL
Show?
Here is the complete output (there are a lot of other rules active on that machine):
[snip]
Your rule is not showing up. How did you set this rule up? If you added it to your firewall rules you need to restart the firewall. If you added it by hand then it must have spit out an error as it didn't take.
Good Evening.
Doesn't it fit to just execute service iptables save?
Best Regards Marcus
Hi Marcus,
On Sat, Feb 7, 2009 at 13:17, Marcus Moeller mm@gcug.de wrote:
Doesn't it fit to just execute service iptables save?
"service iptables save" will merely copy what you have running (basically what "iptables -nvL" outputs) and save it to /etc/sysconfig/iptables, so that that same configuration will be used on your next reboot (or next time you run "service iptables start" or "service iptables restart").
Looking at http://pastebin.centos.org/23912 the rule you mentioned is not there either. Maybe the rule was not loaded when you ran "service iptables save".
I suggest you verify the output of "iptables -nvL" after you load the rule again, and verify the contents of /etc/sysconfig/iptables after you run "service iptables save" again. If there is indeed a problem, looking at those might give you a clue of where/when it is happening.
HTH, Filipe
On Saturday 07 February 2009 14:22, Filipe Brandenburger wrote:
I suggest you verify the output of "iptables -nvL" after you load the rule again, and verify the contents of /etc/sysconfig/iptables after you run "service iptables save" again. If there is indeed a problem, looking at those might give you a clue of where/when it is happening.
Maybe even pastebin the script you are using to configure your rules.
Good Morning,
iptables -L -v now shows:
0 0 ACCEPT all -- eth0 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
But the packages are still dropped:
Feb 9 10:48:20 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.192 DST=172.28.2.161 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=54 PROTO=TCP SPT=9100 DPT=4068 WINDOW=0 RES=0x00 ACK SYN URGP=0
Could it be that I have to enable something in proc to allow forwarding on an internal device?
Best Regards Marcus
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Marcus Moeller Sent: Monday, February 09, 2009 2:59 AM To: CentOS mailing list Subject: Re: [CentOS] iptables: forwarding on internal device
Good Morning,
iptables -L -v now shows:
0 0 ACCEPT all -- eth0 eth0 anywhereanywhere state NEW,RELATED,ESTABLISHED
But the packages are still dropped:
Feb 9 10:48:20 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.192 DST=172.28.2.161 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=54 PROTO=TCP SPT=9100 DPT=4068 WINDOW=0 RES=0x00 ACK SYN URGP=0
Could it be that I have to enable something in proc to allow forwarding on an internal device?
Best Regards Marcus
Yes that would be correct Marcus echo it into /proc or in /etc/sysctl.conf would be # Controls IP packet forwarding net.ipv4.ip_forward = 1
JohnStanley
Hi again,
Yes that would be correct Marcus echo it into /proc or in /etc/sysctl.conf would be # Controls IP packet forwarding net.ipv4.ip_forward = 1
This is what I have done already. sysctl -p gives me:
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 4294967295 kernel.shmall = 268435456
The strange thing is that it seems to be blocked by netfilter. I am using exactly the same rules on a Slackware Box without any problems.
Best Regards Marcus
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Marcus Moeller Sent: Monday, February 09, 2009 6:11 AM To: CentOS mailing list Subject: Re: [CentOS] iptables: forwarding on internal device
Hi again,
Yes that would be correct Marcus echo it into /proc or in
/etc/sysctl.conf
would be # Controls IP packet forwarding net.ipv4.ip_forward = 1
This is what I have done already. sysctl -p gives me:
net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 4294967295 kernel.shmall = 268435456
The strange thing is that it seems to be blocked by netfilter. I am using exactly the same rules on a Slackware Box without any problems.
---- Slackware is the Key here Marcus. The two distros have different modules built into the kernel by default and maybe a cause for why it is happening? But Honestly I don't see how you are ever going to forward packets and requests with the below rule. How are you going to come into and back out of the same interface? That's why it want traverse How about -i eth0 -o eth1 or -I eth0 -o eth0:0
-A FORWARD -i eth0 -o eth0 -m state --state \ NEW,RELATED,ESTABLISHED -j ACCEPT
When you use iptables save it does not save the the rules you just put into it! You will have to edit /etc/sysconfig/iptables-config:
# Unload modules on restart and stop # Value: yes|no, default: yes # This option has to be 'yes' to get to a sane state for a firewall # restart or stop. Only set to 'no' if there are problems unloading netfilter # modules. IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped # (e.g. on system shutdown). IPTABLES_SAVE_ON_STOP="yes"
# Save current firewall rules on restart. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets # restarted. IPTABLES_SAVE_ON_RESTART="yes"
JohnStanley
Good Evening,
The strange thing is that it seems to be blocked by netfilter. I am using exactly the same rules on a Slackware Box without any problems.
Slackware is the Key here Marcus. The two distros have different modules built into the kernel by default and maybe a cause for why it is happening? But Honestly I don't see how you are ever going to forward packets and requests with the below rule. How are you going to come into and back out of the same interface? That's why it want traverse How about -i eth0 -o eth1 or -I eth0 -o eth0:0
As mentioned before, the ruleset is now activated correctly as iptables -L shows:
0 0 ACCEPT all -- eth0 eth0 anywhere anywhere state NEW,RELATED,ESTABLISHED
I must admit that it was not in my pastebin posts (my fault).
-A FORWARD -i eth0 -o eth0 -m state --state \ NEW,RELATED,ESTABLISHED -j ACCEPT
When you use iptables save it does not save the the rules you just put into it! You will have to edit /etc/sysconfig/iptables-config:
# Unload modules on restart and stop # Value: yes|no, default: yes # This option has to be 'yes' to get to a sane state for a firewall # restart or stop. Only set to 'no' if there are problems unloading netfilter # modules. IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped # (e.g. on system shutdown). IPTABLES_SAVE_ON_STOP="yes"
# Save current firewall rules on restart. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets # restarted. IPTABLES_SAVE_ON_RESTART="yes"
The rules are stored and activated with service iptables save (and all other rules, e.g. routing into DMZ work fine)
I now begin to wonder if it's a routing issue and backroute problem as the respone package may come from a different MAC address:
LAN1 -> LINUX_ROUTER -> LAN2
Response:
LAN2 -> CORE-ROUTER(with LINUX_ROUTER as default Gateway) -> LINUX_ROUTER | BLOCKED | LAN1
This may be the case as the CORE-ROUTER was not part of the network in good ol' slacky times.
Best Regards Marcus
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Marcus Moeller Sent: Tuesday, February 10, 2009 1:19 PM To: CentOS mailing list Subject: Re: [CentOS] iptables: forwarding on internal device I now begin to wonder if it's a routing issue and backroute problem as the respone package may come from a different MAC address:
LAN1 -> LINUX_ROUTER -> LAN2
Response:
LAN2 -> CORE-ROUTER(with LINUX_ROUTER as default Gateway) -> LINUX_ROUTER | BLOCKED | LAN1
This may be the case as the CORE-ROUTER was not part of the network in good ol' slacky times.
---- You do have all your Routes Defined on all machines and routers? Last does that machine in question have it routes defined on it "route 10.x.x.x/x"? Only other thing you can do is start from scratch. Save all your rules and add them one at a time. If you can't have it off the network reduce the rules to a bare minimum. Are the switches configured correct?
JohnStanley
Good Evening.
LAN1 -> LINUX_ROUTER -> LAN2
Response:
LAN2 -> CORE-ROUTER(with LINUX_ROUTER as default Gateway) -> LINUX_ROUTER | BLOCKED | LAN1
This may be the case as the CORE-ROUTER was not part of the network in good ol' slacky times.
You do have all your Routes Defined on all machines and routers? Last does that machine in question have it routes defined on it "route 10.x.x.x/x"?
I have defined a route to LAN2 over a gateway in LAN1 (same network segment) and all machines in LAN2 have the CORE-ROUTER defined as default gw which itself got a last resort to the LINUX_ROUTER.
Only other thing you can do is start from scratch. Save all your rules and add them one at a time. If you can't have it off the network reduce the rules to a bare minimum. Are the switches configured correct?
I wonder if netfilter just drops a package if it's response comes from a different MAC address.
Best Regards Marcus
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Marcus Moeller Sent: Tuesday, February 10, 2009 2:49 PM To: CentOS mailing list Subject: Re: [CentOS] iptables: forwarding on internal device
I have defined a route to LAN2 over a gateway in LAN1 (same network segment) and all machines in LAN2 have the CORE-ROUTER defined as default gw which itself got a last resort to the LINUX_ROUTER.
Only other thing you can do is start from scratch. Save all
your rules and
add them one at a time. If you can't have it off the
network reduce the
rules to a bare minimum. Are the switches configured correct?
I wonder if netfilter just drops a package if it's response comes from a different MAC address.
---- Sure it Could Happen
IF, you have 3 routers between your source and destination machines. Your destination machine will see the MAC address of the third-on-the-way router, not your original machine. This make sense to you? In other words every time a packet hits a new ip it is changed along with the MAC. MAC Spoofing Kinda.
But I would not think that netfilter JUST DROPS it for the heck of it.
JohnStanley
Marcus Moeller wrote:
Good Morning,
iptables -L -v now shows:
0 0 ACCEPT all -- eth0 eth0 anywhereanywhere state NEW,RELATED,ESTABLISHED
But the packages are still dropped:
Feb 9 10:48:20 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.192 DST=172.28.2.161 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=54 PROTO=TCP SPT=9100 DPT=4068 WINDOW=0 RES=0x00 ACK SYN URGP=0
My guess is will ACCEPT packets but since you haven't defined a FORWARD or an OUPUT chain it drops them.
Hi,
iptables -L -v now shows:
0 0 ACCEPT all -- eth0 eth0 anywhereanywhere state NEW,RELATED,ESTABLISHED
But the packages are still dropped:
Feb 9 10:48:20 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.192 DST=172.28.2.161 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=54 PROTO=TCP SPT=9100 DPT=4068 WINDOW=0 RES=0x00 ACK SYN URGP=0
My guess is will ACCEPT packets but since you haven't defined a FORWARD or an OUPUT chain it drops them.
As mentioned, I have added a rule like:
/sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
to forward packages on the internal device.
Best Regards Marcus
Marcus Moeller wrote on Mon, 9 Feb 2009 14:23:02 +0100:
Google for that as a string
iptables -A FORWARD -i eth0 -o eth0
and you will see quite a few hits, also in German. For instance http://www.linuxforen.de/forums/showthread.php?t=81200
It seems you are either doing something wrong or testing in the wrong way. (I'm not very familiar with forwarding rules.)
Kai
Hello,
The system you are trying to forward with has at least two nics on different networks? However you are trying to forward between aliases on one nic that is located on your internal network? And the other nic connects to a DMZ or gateway network? This system is not a decicated routing/forwarding system but runs other services for network clients/servers that connect to it?
Michael
Marcus Moeller wrote:
Hi,
iptables -L -v now shows:
0 0 ACCEPT all -- eth0 eth0 anywhereanywhere state NEW,RELATED,ESTABLISHED
But the packages are still dropped:
Feb 9 10:48:20 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.192 DST=172.28.2.161 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=54 PROTO=TCP SPT=9100 DPT=4068 WINDOW=0 RES=0x00 ACK SYN URGP=0
My guess is will ACCEPT packets but since you haven't defined a FORWARD or an OUPUT chain it drops them.
As mentioned, I have added a rule like:
/sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
to forward packages on the internal device.
Best Regards Marcus _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Dear Michael,
The system you are trying to forward with has at least two nics on different networks? However you are trying to forward between aliases on one nic that is located on your internal network? And the other nic connects to a DMZ or gateway network? This system is not a decicated routing/forwarding system but runs other services for network clients/servers that connect to it?
Yes, that's true. We are routing between two internal networks on that box (migrating to core switch, soon).
But that's not the problem. I just wonder why the packages are dropped (as it worked correctly on the Slackware box, before - using the same ruleset)
Btw. it seems that 'service iptables save' fits to activate all other rulesets. And it is NOT necessary to define input and output rules for forwarding on an internal device.
Best Regards Marcus
Marcus Moeller wrote:
Hi,
iptables -L -v now shows:
0 0 ACCEPT all -- eth0 eth0 anywhereanywhere state NEW,RELATED,ESTABLISHED
But the packages are still dropped:
Feb 9 10:48:20 firewall kernel: DROP-TCP IN=eth0 OUT=eth0 SRC=192.168.100.192 DST=172.28.2.161 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=54 PROTO=TCP SPT=9100 DPT=4068 WINDOW=0 RES=0x00 ACK SYN URGP=0
My guess is will ACCEPT packets but since you haven't defined a FORWARD or an OUPUT chain it drops them.
As mentioned, I have added a rule like:
/sbin/iptables -A FORWARD -i eth0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
to forward packages on the internal device.
It's not what you say that counts, it's what
iptables -L -v
says - and it's not there.
Good luck.
On Saturday 07 February 2009 13:17, Marcus Moeller wrote:
Iptables -nL
Show?
Here is the complete output (there are a lot of other rules active on that machine):
[snip]
Your rule is not showing up. How did you set this rule up? If you added it to your firewall rules you need to restart the firewall. If you added it by hand then it must have spit out an error as it didn't take.
Doesn't it fit to just execute service iptables save?
That depends. Are you using a script, other then the one provided by init.d, to start and setup your firewall then this is just going to save the running firewall to /etc/sysconf/iptables. This is the file that is read by the script in init.d.
-
Agile Aspect -
Filipe Brandenburger -
John -
Kai Schaetzl -
Marcus Moeller -
Michael Peterson -
Robert Spangler