From: "John A. Sullivan III" <John.Sullivan@nexusmgmt.com>
To: Marco Colombo <netfilter@esiway.net>
Cc: Peter Marshall <peter.marshall@caris.com>,
netfilter <netfilter@lists.netfilter.org>
Subject: Re: how to automate ip_forward
Date: Thu, 08 Jul 2004 15:44:51 -0400 [thread overview]
Message-ID: <40EDA433.40900@nexusmgmt.com> (raw)
In-Reply-To: <Pine.LNX.4.44.0407081443070.3962-100000@Megathlon.ESI>
Marco Colombo wrote:
> On Thu, 8 Jul 2004, Peter Marshall wrote:
>
>
>>Hey guys, I know this sounds stupid, but I can not seem to get the value of
>>/proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo
>>1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash
>>script with my rules in it and a startup script in rc2.d that calls it)
>>
>>I also tried making a separate starup script just for the ip_forward and set
>>it to run in as the last thing in rc2,d .....
>>
>>If anyone has any suggestions, I would greatly appreciate it.
>>
>>Thanks.
>>Peter
>
>
> That depends on the distro you're running. On Red Hat / Fedora distros,
> add (or change) the following line to /etc/sysctl.conf:
>
> net.ipv4.ip_forward = 1
>
> The echo you're using should work, just make sure nothing else
> (i.e. sysctl) resets it to 0 later at boot time (but on RH and
> Fedora, sysctl -p occurs in rc.sysinit, so before any rc.[2345]
> script).
>
> As an alternative to the echo approach, you can use the sysctl
> command directly in your script. My iptables scripts start with:
>
> sysctl -w net.ipv4.ip_forward=0
>
> and end with:
>
> sysctl -w net.ipv4.ip_forward=1
>
> so that forwarding is disabled while the scripts are messing with rules:
> I tend to use the scripts at runtime now and then, disabling forwarding
> is just safer.
>
> .TM.
Exactly. Plus, I believe you'll find that sysctl is called in
/etc/init.d/network.
As recommended, I tend to set the /etc/sysctl.conf setting to 0. While
I am there, I also disable redirects and source routing. I then enable
forwarding with the echo command (for platform independence) in my
scripts after all the security scripts have successfully run. This way,
if one of the iptables or *swan scripts fails, I fail safe and the
gateway does not forward - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
prev parent reply other threads:[~2004-07-08 19:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-08 12:00 how to automate ip_forward Peter Marshall
2004-07-08 12:15 ` Antony Stone
2004-07-08 12:22 ` Patrick Leslie Polzer
2004-07-08 12:19 ` Antony Stone
2004-07-08 15:39 ` Patrick Leslie Polzer
2004-07-08 12:54 ` Marco Colombo
2004-07-08 19:44 ` John A. Sullivan III [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40EDA433.40900@nexusmgmt.com \
--to=john.sullivan@nexusmgmt.com \
--cc=netfilter@esiway.net \
--cc=netfilter@lists.netfilter.org \
--cc=peter.marshall@caris.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.