* how to automate ip_forward
@ 2004-07-08 12:00 Peter Marshall
2004-07-08 12:15 ` Antony Stone
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Peter Marshall @ 2004-07-08 12:00 UTC (permalink / raw)
To: netfilter
Hey guys, I know this sounds stupid, but I can not seem to get the value of
/proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo
1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash
script with my rules in it and a startup script in rc2.d that calls it)
I also tried making a separate starup script just for the ip_forward and set
it to run in as the last thing in rc2,d .....
If anyone has any suggestions, I would greatly appreciate it.
Thanks.
Peter
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: how to automate ip_forward 2004-07-08 12:00 how to automate ip_forward Peter Marshall @ 2004-07-08 12:15 ` Antony Stone 2004-07-08 12:22 ` Patrick Leslie Polzer 2004-07-08 12:54 ` Marco Colombo 2 siblings, 0 replies; 7+ messages in thread From: Antony Stone @ 2004-07-08 12:15 UTC (permalink / raw) To: netfilter On Thursday 08 July 2004 1:00 pm, Peter Marshall wrote: > Hey guys, I know this sounds stupid, but I can not seem to get the value of > /proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo > 1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash > script with my rules in it and a startup script in rc2.d that calls it) If you have done that and it's still ending up as 0 afterwards, then something else on your system must be writing 0 to it without you knowing. Try doing a grep on everything in /etc downwards for ip_forward to see if ytou can find some other script which is messing you about: grep -ri ip_forward /etc Regards, Antony. -- This email was created using 100% recycled electrons. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:00 how to automate ip_forward Peter Marshall 2004-07-08 12:15 ` Antony Stone @ 2004-07-08 12:22 ` Patrick Leslie Polzer 2004-07-08 12:19 ` Antony Stone 2004-07-08 12:54 ` Marco Colombo 2 siblings, 1 reply; 7+ messages in thread From: Patrick Leslie Polzer @ 2004-07-08 12:22 UTC (permalink / raw) To: netfilter On Thu, 8 Jul 2004 09:00:04 -0300 "Peter Marshall" <peter.marshall@caris.com> wrote: > Hey guys, I know this sounds stupid, but I can not seem to get the value of > /proc/sys/net/ipv4/ip_forward to be 1 after boot. How do you test? Leslie ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:22 ` Patrick Leslie Polzer @ 2004-07-08 12:19 ` Antony Stone 2004-07-08 15:39 ` Patrick Leslie Polzer 0 siblings, 1 reply; 7+ messages in thread From: Antony Stone @ 2004-07-08 12:19 UTC (permalink / raw) To: netfilter On Thursday 08 July 2004 1:22 pm, Patrick Leslie Polzer wrote: > On Thu, 8 Jul 2004 09:00:04 -0300 > > "Peter Marshall" <peter.marshall@caris.com> wrote: > > Hey guys, I know this sounds stupid, but I can not seem to get the value > > of /proc/sys/net/ipv4/ip_forward to be 1 after boot. > > How do you test? cat /proc/sys/net/ipv4/ip_forward is a pretty reliable indicator :) Antony. -- What is this talk of "software release"? Our software evolves and matures until it is capable of escape, leaving a bloody trail of designers and quality assurance people in its wake. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:19 ` Antony Stone @ 2004-07-08 15:39 ` Patrick Leslie Polzer 0 siblings, 0 replies; 7+ messages in thread From: Patrick Leslie Polzer @ 2004-07-08 15:39 UTC (permalink / raw) To: netfilter On Thu, 8 Jul 2004 13:19:57 +0100 Antony Stone <Antony@Soft-Solutions.co.uk> wrote: > On Thursday 08 July 2004 1:22 pm, Patrick Leslie Polzer wrote: > > How do you test? > > cat /proc/sys/net/ipv4/ip_forward is a pretty reliable indicator :) Sure ;), but maybe he just noticed that the box is not forwarding any packets, which may of course be caused by a pre-installed FORWARD DROP policy. Leslie ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:00 how to automate ip_forward Peter Marshall 2004-07-08 12:15 ` Antony Stone 2004-07-08 12:22 ` Patrick Leslie Polzer @ 2004-07-08 12:54 ` Marco Colombo 2004-07-08 19:44 ` John A. Sullivan III 2 siblings, 1 reply; 7+ messages in thread From: Marco Colombo @ 2004-07-08 12:54 UTC (permalink / raw) To: Peter Marshall; +Cc: netfilter On Thu, 8 Jul 2004, Peter Marshall wrote: > Hey guys, I know this sounds stupid, but I can not seem to get the value of > /proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo > 1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash > script with my rules in it and a startup script in rc2.d that calls it) > > I also tried making a separate starup script just for the ip_forward and set > it to run in as the last thing in rc2,d ..... > > If anyone has any suggestions, I would greatly appreciate it. > > Thanks. > Peter That depends on the distro you're running. On Red Hat / Fedora distros, add (or change) the following line to /etc/sysctl.conf: net.ipv4.ip_forward = 1 The echo you're using should work, just make sure nothing else (i.e. sysctl) resets it to 0 later at boot time (but on RH and Fedora, sysctl -p occurs in rc.sysinit, so before any rc.[2345] script). As an alternative to the echo approach, you can use the sysctl command directly in your script. My iptables scripts start with: sysctl -w net.ipv4.ip_forward=0 and end with: sysctl -w net.ipv4.ip_forward=1 so that forwarding is disabled while the scripts are messing with rules: I tend to use the scripts at runtime now and then, disabling forwarding is just safer. .TM. -- ____/ ____/ / / / / Marco Colombo ___/ ___ / / Technical Manager / / / ESI s.r.l. _____/ _____/ _/ Colombo@ESI.it ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:54 ` Marco Colombo @ 2004-07-08 19:44 ` John A. Sullivan III 0 siblings, 0 replies; 7+ messages in thread From: John A. Sullivan III @ 2004-07-08 19:44 UTC (permalink / raw) To: Marco Colombo; +Cc: Peter Marshall, netfilter Marco Colombo wrote: > On Thu, 8 Jul 2004, Peter Marshall wrote: > > >>Hey guys, I know this sounds stupid, but I can not seem to get the value of >>/proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo >>1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash >>script with my rules in it and a startup script in rc2.d that calls it) >> >>I also tried making a separate starup script just for the ip_forward and set >>it to run in as the last thing in rc2,d ..... >> >>If anyone has any suggestions, I would greatly appreciate it. >> >>Thanks. >>Peter > > > That depends on the distro you're running. On Red Hat / Fedora distros, > add (or change) the following line to /etc/sysctl.conf: > > net.ipv4.ip_forward = 1 > > The echo you're using should work, just make sure nothing else > (i.e. sysctl) resets it to 0 later at boot time (but on RH and > Fedora, sysctl -p occurs in rc.sysinit, so before any rc.[2345] > script). > > As an alternative to the echo approach, you can use the sysctl > command directly in your script. My iptables scripts start with: > > sysctl -w net.ipv4.ip_forward=0 > > and end with: > > sysctl -w net.ipv4.ip_forward=1 > > so that forwarding is disabled while the scripts are messing with rules: > I tend to use the scripts at runtime now and then, disabling forwarding > is just safer. > > .TM. Exactly. Plus, I believe you'll find that sysctl is called in /etc/init.d/network. As recommended, I tend to set the /etc/sysctl.conf setting to 0. While I am there, I also disable redirects and source routing. I then enable forwarding with the echo command (for platform independence) in my scripts after all the security scripts have successfully run. This way, if one of the iptables or *swan scripts fails, I fail safe and the gateway does not forward - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-07-08 19:44 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-07-08 12:00 how to automate ip_forward Peter Marshall 2004-07-08 12:15 ` Antony Stone 2004-07-08 12:22 ` Patrick Leslie Polzer 2004-07-08 12:19 ` Antony Stone 2004-07-08 15:39 ` Patrick Leslie Polzer 2004-07-08 12:54 ` Marco Colombo 2004-07-08 19:44 ` John A. Sullivan III
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.