forward is not forwarding

forward is not forwarding

[Abraham Kim]

[-- Attachment #1: Type: text/plain, Size: 437 bytes --]

Just installed RedHat, with two NICs, 10.1.1.1 and 192.168.1.1 each.
Added 2 rules in FORWARD, but I can't ping from 10.1.1.2 to 192.168.1.2,
vice versa.
(those 2 are Sun machines, got default route to 10.1.1.1 and 192.168.1.1
each)
 
iptables -i eth0 -o eth1 -A FORWARD -j ACCEPT
iptables -i eth1 -o eth0 -A FORWARD -j ACCEPT
 
Did I miss anything simple here?
Should I arrange a routing module separately?
 
Thanks in advance,
Abraham

[-- Attachment #2: Type: text/html, Size: 1664 bytes --]

Re: forward is not forwarding

[Steve Mickeler]

Did you enable IP forwarding at the kernel level ?

what does "cat /proc/sys/net/ipv4/ip_forward" show ?

If 0, then you need to enable IP fowarding by doing this:

echo 1 > /proc/sys/net/ipv4/ip_forward


On Fri, 6 Sep 2002, Abraham Kim wrote:

> Just installed RedHat, with two NICs, 10.1.1.1 and 192.168.1.1 each.
> Added 2 rules in FORWARD, but I can't ping from 10.1.1.2 to 192.168.1.2,
> vice versa.
> (those 2 are Sun machines, got default route to 10.1.1.1 and 192.168.1.1
> each)
>
> iptables -i eth0 -o eth1 -A FORWARD -j ACCEPT
> iptables -i eth1 -o eth0 -A FORWARD -j ACCEPT
>
> Did I miss anything simple here?
> Should I arrange a routing module separately?
>
> Thanks in advance,
> Abraham
>



[-] Steve Mickeler [ steve@neptune.ca ]

[|] Todays root password is brought to you by /dev/random

[+] 1024D/9AA80CDF = 4103 9E35 2713 D432 924F  3C2E A7B9 A0FE 9AA8 0CDF

RE: forward is not forwarding

[Stewart Thompson]

[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

Abraham:

            Did you turn on forwarding in the Kernel? In Redhat you
can use Sysctl, I usually do it my iptables script as such:

echo "1" > /proc/sys/net/ipv4/ip_forward

Stu………..


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Abraham Kim
Sent: September 5, 2002 10:36 PM
To: 'netfilter@lists.netfilter.org'
Subject: forward is not forwarding

Just installed RedHat, with two NICs, 10.1.1.1 and 192.168.1.1 each.
Added 2 rules in FORWARD, but I can't ping from 10.1.1.2 to 192.168.1.2,
vice versa.
(those 2 are Sun machines, got default route to 10.1.1.1 and 192.168.1.1
each)

iptables -i eth0 -o eth1 -A FORWARD -j ACCEPT
iptables -i eth1 -o eth0 -A FORWARD -j ACCEPT

Did I miss anything simple here?
Should I arrange a routing module separately?

Thanks in advance,
Abraham


[-- Attachment #2: Type: text/html, Size: 8993 bytes --]

RE: forward is not forwarding

[R. Sterenborg]

> > iptables -i eth0 -o eth1 -A FORWARD -j ACCEPT
> > iptables -i eth1 -o eth0 -A FORWARD -j ACCEPT> Did you enable IP
forwarding at the kernel level ?

> what does "cat /proc/sys/net/ipv4/ip_forward" show ?
>
> If 0, then you need to enable IP fowarding by doing this:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>

Do you need netfilter ?
How about your routing table (route -n). Do you have routings like :

Destination     Gateway         Genmask
...
10.1.1.0        10.1.1.1        255.255.255.0
192.168.1.0     192.168.1.1     255.255.255.0
...


Rob

RE: forward is not forwarding

[Abraham Kim]

[-- Attachment #1: Type: text/plain, Size: 711 bytes --]

Dear Stewart, Chris, Steve, and many others...
 
Thanks for giving me help on this.
 
I changed "0" to "1" in the ip_forward and
those 2 machines can talk to each other now. (Wow!)
 
Everything's perfect, except (this except is always a pain...)
telnet from Linux to Solaris takes too long to be established
(it looks hung after the Escape character... message)
 
It almost takes 1 minutes to give login prompt!
rlogin is the same (get the command prompt after 1 min!)
(did not test ssh yet...)
 
From Solaris to Linux or Solaris to Solaris is not a problem.
 
I know it does not quite fit to this mailing list, but could anyone
shout at me if you had similar experience and a tip together?
 
Thanks,
 
Abraham

[-- Attachment #2: Type: text/html, Size: 5652 bytes --]

RE: forward is not forwarding

[Ferry van Steen]

In my scripts I use

# Enable IPv4 Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable SYN Cookie protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable spoof protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
  do echo 1 > $f;
done;

Anyone got others?

Kind regards,

Ferry van Steen
InfoPart Automatisering B.V.
Beeksestraat 24
4841 GC Prinsenbeek
The Netherlands
Phone: +31 (0)76 - 5 44 04 11
Fax: +31 (0)76 - 5 41 83 51
Mobile: +31 (0)6 - 28 46 47 45
E-Mail (business): ferry.van.steen@infopart.nl
E-Mail (private): freaky@bananateam.nl
MSN Messenger: freaky@freaky2000.dyndns.org
ICQ (UIN (seldom used)): 191458


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of R. Sterenborg
Sent: vrijdag 6 september 2002 8:15
To: netfilter@lists.netfilter.org
Subject: RE: forward is not forwarding

> > iptables -i eth0 -o eth1 -A FORWARD -j ACCEPT
> > iptables -i eth1 -o eth0 -A FORWARD -j ACCEPT> Did you enable IP
forwarding at the kernel level ?

> what does "cat /proc/sys/net/ipv4/ip_forward" show ?
>
> If 0, then you need to enable IP fowarding by doing this:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>

Do you need netfilter ?
How about your routing table (route -n). Do you have routings like :

Destination     Gateway         Genmask
...
10.1.1.0        10.1.1.1        255.255.255.0
192.168.1.0     192.168.1.1     255.255.255.0
...


Rob

Re: forward is not forwarding

[Anders Fugmann]

Abraham Kim wrote:
> telnet from Linux to Solaris takes too long to be established
> (it looks hung after the Escape character... message)
This has been seen before, and is easy to fix if my assumption is correct.

Try adding this to your firewall:
$ iptables -A FORWARD -p tcp --dports auth -j REJECT \
         --reject-with tcp-reset

This will "reject" any packet destined for the auth port.
My guess is that the Solaris box does not have a auth deamon running, 
and therefore Linux clients will "hang" while waiting for an answer from 
the port.

Regards
Anders Fugmann

-- 
Author of FIAIF
Fiaif is an intelligent firewall
http://fiaif.fugmann.dhs.org

Re: forward is not forwarding

[Michael]

Did you enable Kernel to do forwarding??


ie
echo 1 > /proc/sys/net/ipv4/ip_forward

Cheers,
Michael

Abraham Kim wrote:

> Just installed RedHat, with two NICs, 10.1.1.1 and 192.168.1.1 each.
> Added 2 rules in FORWARD, but I can't ping from 10.1.1.2 to 
> 192.168.1.2, vice versa.
> (those 2 are Sun machines, got default route to 10.1.1.1 and 
> 192.168.1.1 each)
>  
> iptables -i eth0 -o eth1 -A FORWARD -j ACCEPT
> iptables -i eth1 -o eth0 -A FORWARD -j ACCEPT
>  
> Did I miss anything simple here?
> Should I arrange a routing module separately?
>  
> Thanks in advance,
> Abraham

Re: forward is not forwarding

[Michael]

Abraham Kim wrote:

> Dear Stewart, Chris, Steve, and many others...
>  
> Thanks for giving me help on this.
> <snip>
>  
> I know it does not quite fit to this mailing list, but could anyone
> shout at me if you had similar experience and a tip together?

I'll bet it's the classic DNS problem in Linux.
Add the solaris machine's name to /etc/hosts on Linux.

Or if the machines you are connecting to are on DNS, make the Linux 
system can DNS the machines properly

Cheers,
Michael

Re: forward is not forwarding

[Antony Stone]

On Friday 06 September 2002 7:22 am, Abraham Kim wrote:

> Dear Stewart, Chris, Steve, and many others...
>
> Thanks for giving me help on this.
>
> I changed "0" to "1" in the ip_forward and
> those 2 machines can talk to each other now. (Wow!)
>
> Everything's perfect, except (this except is always a pain...)
> telnet from Linux to Solaris takes too long to be established
> (it looks hung after the Escape character... message)
>
> It almost takes 1 minutes to give login prompt!
> rlogin is the same (get the command prompt after 1 min!)
> (did not test ssh yet...)
>
> From Solaris to Linux or Solaris to Solaris is not a problem.

Your Solaris box is running tcpwrappers, and is trying to do an IDENT lookup 
to the Linux box, and either your firewall is blocking it or the Linux box 
isn't running an IDENT daemon and therefore doesn't respond.

The Linux box either isn't running tcpwrappers, so the lookup doesn't happen, 
or else it is, and the firewall is allowing the request, and the Solaris box 
is running an IDENT daemon, and replies.

Probably your quickest and easiest solution to this is to get the firewall to 
REJECT the IDENT packets (TCP port 113) from the Solaris box so that it 
doesn't have to wait for a timeout.

Antony.

-- 

Normal people think "if it ain't broke, don't fix it".
Engineers think "if it ain't broke, it doesn't have enough features yet".

RE: forward is not forwarding

[Abraham Kim]

Everyone who gave me solutions, thanks!

About the delay when telnet'ing to Solaris from Linux,

I just added the Linux box hostname in Solaris machine's

/etc/inet/hosts

and bang, it's so quick now.

Thank you all~

Abraham