how to automate ip

Linux Netfilter discussions
 help / color / mirror / Atom feed

* how to automate ip_forward
@ 2004-07-08 12:00 Peter Marshall
  2004-07-08 12:15 ` Antony Stone
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: Peter Marshall @ 2004-07-08 12:00 UTC (permalink / raw)
  To: netfilter

Hey guys, I know this sounds stupid, but I can not seem to get the value of
/proc/sys/net/ipv4/ip_forward to be 1 after boot.  I tried putting the echo
1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash
script with my rules in it and a startup script in rc2.d that calls it)

I also tried making a separate starup script just for the ip_forward and set
it to run in as the last thing in rc2,d .....

If anyone has any suggestions, I would greatly appreciate it.

Thanks.
Peter

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to automate ip_forward
  2004-07-08 12:00 how to automate ip_forward Peter Marshall
@ 2004-07-08 12:15 ` Antony Stone
  2004-07-08 12:22 ` Patrick Leslie Polzer
  2004-07-08 12:54 ` Marco Colombo
  2 siblings, 0 replies; 7+ messages in thread
From: Antony Stone @ 2004-07-08 12:15 UTC (permalink / raw)
  To: netfilter

On Thursday 08 July 2004 1:00 pm, Peter Marshall wrote:

> Hey guys, I know this sounds stupid, but I can not seem to get the value of
> /proc/sys/net/ipv4/ip_forward to be 1 after boot.  I tried putting the echo
> 1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash
> script with my rules in it and a startup script in rc2.d that calls it)

If you have done that and it's still ending up as 0 afterwards, then something 
else on your system must be writing 0 to it without you knowing.

Try doing a grep on everything in /etc downwards for ip_forward to see if ytou 
can find some other script which is messing you about:

grep -ri ip_forward /etc

Regards,

Antony.

-- 
This email was created using 100% recycled electrons.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to automate ip_forward
  2004-07-08 12:22 ` Patrick Leslie Polzer
@ 2004-07-08 12:19   ` Antony Stone
  2004-07-08 15:39     ` Patrick Leslie Polzer
  0 siblings, 1 reply; 7+ messages in thread
From: Antony Stone @ 2004-07-08 12:19 UTC (permalink / raw)
  To: netfilter

On Thursday 08 July 2004 1:22 pm, Patrick Leslie Polzer wrote:

> On Thu, 8 Jul 2004 09:00:04 -0300
>
> "Peter Marshall" <peter.marshall@caris.com> wrote:
> > Hey guys, I know this sounds stupid, but I can not seem to get the value
> > of /proc/sys/net/ipv4/ip_forward to be 1 after boot.
>
> How do you test?

cat /proc/sys/net/ipv4/ip_forward is a pretty reliable indicator :)

Antony.

-- 
What is this talk of "software release"?
Our software evolves and matures until it is capable of escape, leaving a 
bloody trail of designers and quality assurance people in its wake.

                                                     Please reply to the list;
                                                           please don't CC me.



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to automate ip_forward
  2004-07-08 12:00 how to automate ip_forward Peter Marshall
  2004-07-08 12:15 ` Antony Stone
@ 2004-07-08 12:22 ` Patrick Leslie Polzer
  2004-07-08 12:19   ` Antony Stone
  2004-07-08 12:54 ` Marco Colombo
  2 siblings, 1 reply; 7+ messages in thread
From: Patrick Leslie Polzer @ 2004-07-08 12:22 UTC (permalink / raw)
  To: netfilter

On Thu, 8 Jul 2004 09:00:04 -0300
"Peter Marshall" <peter.marshall@caris.com> wrote:

> Hey guys, I know this sounds stupid, but I can not seem to get the value of
> /proc/sys/net/ipv4/ip_forward to be 1 after boot.
How do you test?

Leslie


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to automate ip_forward
  2004-07-08 12:00 how to automate ip_forward Peter Marshall
  2004-07-08 12:15 ` Antony Stone
  2004-07-08 12:22 ` Patrick Leslie Polzer
@ 2004-07-08 12:54 ` Marco Colombo
  2004-07-08 19:44   ` John A. Sullivan III
  2 siblings, 1 reply; 7+ messages in thread
From: Marco Colombo @ 2004-07-08 12:54 UTC (permalink / raw)
  To: Peter Marshall; +Cc: netfilter

On Thu, 8 Jul 2004, Peter Marshall wrote:

> Hey guys, I know this sounds stupid, but I can not seem to get the value of
> /proc/sys/net/ipv4/ip_forward to be 1 after boot.  I tried putting the echo
> 1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash
> script with my rules in it and a startup script in rc2.d that calls it)
> 
> I also tried making a separate starup script just for the ip_forward and set
> it to run in as the last thing in rc2,d .....
> 
> If anyone has any suggestions, I would greatly appreciate it.
> 
> Thanks.
> Peter

That depends on the distro you're running. On Red Hat / Fedora distros,
add (or change) the following line to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

The echo you're using should work, just make sure nothing else
(i.e. sysctl) resets it to 0 later at boot time (but on RH and
Fedora, sysctl -p occurs in rc.sysinit, so before any rc.[2345]
script).

As an alternative to the echo approach, you can use the sysctl
command directly in your script. My iptables scripts start with:

  sysctl -w net.ipv4.ip_forward=0

and end with:

  sysctl -w net.ipv4.ip_forward=1

so that forwarding is disabled while the scripts are messing with rules:
I tend to use the scripts at runtime now and then, disabling forwarding
is just safer.

.TM.
-- 
      ____/  ____/   /
     /      /       /			Marco Colombo
    ___/  ___  /   /		      Technical Manager
   /          /   /			 ESI s.r.l.
 _____/ _____/  _/		       Colombo@ESI.it

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to automate ip_forward
  2004-07-08 12:19   ` Antony Stone
@ 2004-07-08 15:39     ` Patrick Leslie Polzer
  0 siblings, 0 replies; 7+ messages in thread
From: Patrick Leslie Polzer @ 2004-07-08 15:39 UTC (permalink / raw)
  To: netfilter

On Thu, 8 Jul 2004 13:19:57 +0100
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:

> On Thursday 08 July 2004 1:22 pm, Patrick Leslie Polzer wrote:
> > How do you test?
> 
> cat /proc/sys/net/ipv4/ip_forward is a pretty reliable indicator :)
Sure ;), but maybe he just noticed that the box is not forwarding
any packets, which may of course be caused by a pre-installed FORWARD
DROP policy.

Leslie


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: how to automate ip_forward
  2004-07-08 12:54 ` Marco Colombo
@ 2004-07-08 19:44   ` John A. Sullivan III
  0 siblings, 0 replies; 7+ messages in thread
From: John A. Sullivan III @ 2004-07-08 19:44 UTC (permalink / raw)
  To: Marco Colombo; +Cc: Peter Marshall, netfilter



Marco Colombo wrote:
> On Thu, 8 Jul 2004, Peter Marshall wrote:
> 
> 
>>Hey guys, I know this sounds stupid, but I can not seem to get the value of
>>/proc/sys/net/ipv4/ip_forward to be 1 after boot.  I tried putting the echo
>>1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash
>>script with my rules in it and a startup script in rc2.d that calls it)
>>
>>I also tried making a separate starup script just for the ip_forward and set
>>it to run in as the last thing in rc2,d .....
>>
>>If anyone has any suggestions, I would greatly appreciate it.
>>
>>Thanks.
>>Peter
> 
> 
> That depends on the distro you're running. On Red Hat / Fedora distros,
> add (or change) the following line to /etc/sysctl.conf:
> 
> net.ipv4.ip_forward = 1
> 
> The echo you're using should work, just make sure nothing else
> (i.e. sysctl) resets it to 0 later at boot time (but on RH and
> Fedora, sysctl -p occurs in rc.sysinit, so before any rc.[2345]
> script).
> 
> As an alternative to the echo approach, you can use the sysctl
> command directly in your script. My iptables scripts start with:
> 
>   sysctl -w net.ipv4.ip_forward=0
> 
> and end with:
> 
>   sysctl -w net.ipv4.ip_forward=1
> 
> so that forwarding is disabled while the scripts are messing with rules:
> I tend to use the scripts at runtime now and then, disabling forwarding
> is just safer.
> 
> .TM.
Exactly.  Plus, I believe you'll find that sysctl is called in 
/etc/init.d/network.
As recommended, I tend to set the /etc/sysctl.conf setting to 0.  While 
I am there, I also disable redirects and source routing.  I then enable 
forwarding with the echo command (for platform independence) in my 
scripts after all the security scripts have successfully run.  This way, 
if one of the iptables or *swan scripts fails, I fail safe and the 
gateway does not forward - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2004-07-08 19:44 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-08 12:00 how to automate ip_forward Peter Marshall
2004-07-08 12:15 ` Antony Stone
2004-07-08 12:22 ` Patrick Leslie Polzer
2004-07-08 12:19   ` Antony Stone
2004-07-08 15:39     ` Patrick Leslie Polzer
2004-07-08 12:54 ` Marco Colombo
2004-07-08 19:44   ` John A. Sullivan III

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox