ip forwarding and iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

* ip forwarding and iptables
@ 2006-05-15 21:21 Angel Tsankov
  2006-05-15 22:41 ` Robert Nichols
  0 siblings, 1 reply; 4+ messages in thread
From: Angel Tsankov @ 2006-05-15 21:21 UTC (permalink / raw)
  To: ML: netfilter

I have 2 PCs: one configured as gateway (PC1) and the other one (PC2) configured to use PC1 as gateway. PC1 runs a custom Linux 
distribution. It has ip
forwarding enabled (e.g. by echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf).
As far as I understand, I do not need to do anything else to make the kernel route traffic to and from PC2, right?
However, if I have one PC more - PC3, and I do not wnat to route traffic to and from it I need to configure the kernel, e.g. with
the help of iptables. Now if I do so, i.e. use iptables to configure the kernel, save the iptables configuration, setup the system
to reload it at startup (using the init.d scripts), is there any moment (during system startup) when ip forwarding has been enabled
but the iptables configuration has not yet been loaded and traffic could be routed to and from PC3?

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ip forwarding and iptables
  2006-05-15 21:21 ip forwarding and iptables Angel Tsankov
@ 2006-05-15 22:41 ` Robert Nichols
  2006-05-16  6:52   ` Angel Tsankov
  2006-05-16  6:55   ` Angel Tsankov
  0 siblings, 2 replies; 4+ messages in thread
From: Robert Nichols @ 2006-05-15 22:41 UTC (permalink / raw)
  To: netfilter

Angel Tsankov wrote:
> I have 2 PCs: one configured as gateway (PC1) and the other one (PC2) 
> configured to use PC1 as gateway. PC1 runs a custom Linux distribution. 
> It has ip
> forwarding enabled (e.g. by echo 'net.ipv4.ip_forward = 1' >> 
> /etc/sysctl.conf).
> As far as I understand, I do not need to do anything else to make the 
> kernel route traffic to and from PC2, right?
> However, if I have one PC more - PC3, and I do not wnat to route traffic 
> to and from it I need to configure the kernel, e.g. with
> the help of iptables. Now if I do so, i.e. use iptables to configure the 
> kernel, save the iptables configuration, setup the system
> to reload it at startup (using the init.d scripts), is there any moment 
> (during system startup) when ip forwarding has been enabled
> but the iptables configuration has not yet been loaded and traffic could 
> be routed to and from PC3?

It's pretty hard to guess what your "custom Linux distribution" might
be doing.  Usually, at startup the iptables service is started before
starting networking, and during shutdown networking is stopped before
stopping (unloading) iptables.

How much more you might need to do in order to get traffic routed
depends on details about your network addressing that you have not
provided.

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ip forwarding and iptables
  2006-05-15 22:41 ` Robert Nichols
@ 2006-05-16  6:52   ` Angel Tsankov
  2006-05-16  6:55   ` Angel Tsankov
  1 sibling, 0 replies; 4+ messages in thread
From: Angel Tsankov @ 2006-05-16  6:52 UTC (permalink / raw)
  To: netfilter, Robert Nichols

>> I have 2 PCs: one configured as gateway (PC1) and the other one (PC2) configured to use PC1 as gateway. PC1 runs a custom Linux 
>> distribution. It has ip
>> forwarding enabled (e.g. by echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf).
>> As far as I understand, I do not need to do anything else to make the kernel route traffic to and from PC2, right?
>> However, if I have one PC more - PC3, and I do not wnat to route traffic to and from it I need to configure the kernel, e.g. with
>> the help of iptables. Now if I do so, i.e. use iptables to configure the kernel, save the iptables configuration, setup the 
>> system
>> to reload it at startup (using the init.d scripts), is there any moment (during system startup) when ip forwarding has been 
>> enabled
>> but the iptables configuration has not yet been loaded and traffic could be routed to and from PC3?
>
> It's pretty hard to guess what your "custom Linux distribution" might
> be doing.  Usually, at startup the iptables service is started before
> starting networking, and during shutdown networking is stopped before
> stopping (unloading) iptables.

My linux distro is LFS.

>
> How much more you might need to do in order to get traffic routed
> depends on details about your network addressing that you have not
> provided.

Well, it seems that enabling ip forwarding on PC1 is sufficient to route traffice to and from PC2 as the latter can ping hosts on 
the Internet and browse web sites. The network configurations is as follows:
PC1 has a single NIC:
IP=172.16.0.3
PREFIX=24
BROADCAST=172.16.0.255

PC2 has a single NIC, too:
IP address = 172.16.0.4
subnet mask = 255.255.255.0
default gateway = 172.16.0.3

iptables have NOT been installed on PC1. So, if PC3 is configured similarly to PC2, it could too have access to the Internet, right?

And lastly, two more quesions:
-What exactly does ip forwarding mean?
-If I install the iptables service, and use it to configure the kernel not to route traffice for PC3, how can I ensure that the 
iptables service gets started before starting networking, so that there won't be a time slice when PC3 will have access to the 
Internet? 



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ip forwarding and iptables
  2006-05-15 22:41 ` Robert Nichols
  2006-05-16  6:52   ` Angel Tsankov
@ 2006-05-16  6:55   ` Angel Tsankov
  1 sibling, 0 replies; 4+ messages in thread
From: Angel Tsankov @ 2006-05-16  6:55 UTC (permalink / raw)
  To: netfilter


>> I have 2 PCs: one configured as gateway (PC1) and the other one (PC2)
>> configured to use PC1 as gateway. PC1 runs a custom Linux distribution. It has ip
>> forwarding enabled (e.g. by echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf).
>> As far as I understand, I do not need to do anything else to make the kernel route traffic to and from PC2, right?
>> However, if I have one PC more - PC3, and I do not wnat to route traffic to and from it I need to configure the kernel, e.g. with
>> the help of iptables. Now if I do so, i.e. use iptables to configure the kernel, save the iptables configuration, setup the 
>> system
>> to reload it at startup (using the init.d scripts), is there any moment (during system startup) when ip forwarding has been 
>> enabled
>> but the iptables configuration has not yet been loaded and traffic could be routed to and from PC3?
>
> It's pretty hard to guess what your "custom Linux distribution" might
> be doing.  Usually, at startup the iptables service is started before
> starting networking, and during shutdown networking is stopped before
> stopping (unloading) iptables.

My linux distro is LFS.

> How much more you might need to do in order to get traffic routed
> depends on details about your network addressing that you have not
> provided.

Well, it seems that enabling ip forwarding on PC1 is sufficient to route traffice to and from PC2 as the latter can ping hosts on
the Internet and browse web sites. The network configurations is as follows:
PC1 has a single NIC:
IP=172.16.0.3
PREFIX=24
BROADCAST=172.16.0.255

PC2 has a single NIC, too:
IP address = 172.16.0.4
subnet mask = 255.255.255.0
default gateway = 172.16.0.3

iptables have NOT been installed on PC1. So, if PC3 is configured similarly to PC2, it could too have access to the Internet, right?

And lastly, two more quesions:
-What exactly does ip forwarding mean?
-If I install the iptables service, and use it to configure the kernel not to route traffice for PC3, how can I ensure that the
iptables service gets started before starting networking, so that there won't be a time slice when PC3 will have access to the
Internet? 



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2006-05-16  6:55 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-15 21:21 ip forwarding and iptables Angel Tsankov
2006-05-15 22:41 ` Robert Nichols
2006-05-16  6:52   ` Angel Tsankov
2006-05-16  6:55   ` Angel Tsankov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.