[CentOS] iptables: forwarding on internal device

Tue Feb 10 18:19:01 UTC 2009
Marcus Moeller <mm at gcug.de>

Good Evening,

>> The strange thing is that it seems to be blocked by netfilter. I am
>> using exactly the same rules on a Slackware Box without any problems.
> ----
> Slackware is the Key here Marcus. The two distros have different modules
> built into the kernel by default and maybe a cause for why it is happening?
> But Honestly I don't see how you are ever going to forward packets and
> requests with the below rule. How are you going to come into and back out of
> the same interface? That's why it want traverse How about -i eth0 -o eth1 or
> -I eth0 -o eth0:0

As mentioned before, the ruleset is now activated correctly as
iptables -L shows:

0     0 ACCEPT     all  --  eth0   eth0    anywhere anywhere
 state NEW,RELATED,ESTABLISHED

I must admit that it was not in my pastebin posts (my fault).

> -A FORWARD -i eth0 -o eth0 -m state --state \
> NEW,RELATED,ESTABLISHED -j ACCEPT
>
> When you use iptables save it does not save the the rules you just put into
> it! You will have to edit /etc/sysconfig/iptables-config:
>
> # Unload modules on restart and stop
> #   Value: yes|no,  default: yes
> # This option has to be 'yes' to get to a sane state for a firewall
> # restart or stop. Only set to 'no' if there are problems unloading
> netfilter
> # modules.
> IPTABLES_MODULES_UNLOAD="yes"
>
> # Save current firewall rules on stop.
> #   Value: yes|no,  default: no
> # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
> stopped
> # (e.g. on system shutdown).
> IPTABLES_SAVE_ON_STOP="yes"
>
> # Save current firewall rules on restart.
> #   Value: yes|no,  default: no
> # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
> # restarted.
> IPTABLES_SAVE_ON_RESTART="yes"

The rules are stored and activated with service iptables save (and all
other rules, e.g. routing into DMZ work fine)

I now begin to wonder if it's a routing issue and backroute problem as
the respone package may come from a different MAC address:

LAN1 -> LINUX_ROUTER -> LAN2

Response:

LAN2 -> CORE-ROUTER(with LINUX_ROUTER as default Gateway) ->
LINUX_ROUTER | BLOCKED | LAN1

This may be the case as the CORE-ROUTER was not part of the network in
good ol' slacky times.

Best Regards
Marcus