* how to automate ip_forward
@ 2004-07-08 12:00 Peter Marshall
2004-07-08 12:15 ` Antony Stone
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Peter Marshall @ 2004-07-08 12:00 UTC (permalink / raw)
To: netfilter
Hey guys, I know this sounds stupid, but I can not seem to get the value of
/proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo
1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash
script with my rules in it and a startup script in rc2.d that calls it)
I also tried making a separate starup script just for the ip_forward and set
it to run in as the last thing in rc2,d .....
If anyone has any suggestions, I would greatly appreciate it.
Thanks.
Peter
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: how to automate ip_forward 2004-07-08 12:00 how to automate ip_forward Peter Marshall @ 2004-07-08 12:15 ` Antony Stone 2004-07-08 12:22 ` Patrick Leslie Polzer 2004-07-08 12:54 ` Marco Colombo 2 siblings, 0 replies; 7+ messages in thread From: Antony Stone @ 2004-07-08 12:15 UTC (permalink / raw) To: netfilter On Thursday 08 July 2004 1:00 pm, Peter Marshall wrote: > Hey guys, I know this sounds stupid, but I can not seem to get the value of > /proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo > 1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash > script with my rules in it and a startup script in rc2.d that calls it) If you have done that and it's still ending up as 0 afterwards, then something else on your system must be writing 0 to it without you knowing. Try doing a grep on everything in /etc downwards for ip_forward to see if ytou can find some other script which is messing you about: grep -ri ip_forward /etc Regards, Antony. -- This email was created using 100% recycled electrons. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:00 how to automate ip_forward Peter Marshall 2004-07-08 12:15 ` Antony Stone @ 2004-07-08 12:22 ` Patrick Leslie Polzer 2004-07-08 12:19 ` Antony Stone 2004-07-08 12:54 ` Marco Colombo 2 siblings, 1 reply; 7+ messages in thread From: Patrick Leslie Polzer @ 2004-07-08 12:22 UTC (permalink / raw) To: netfilter On Thu, 8 Jul 2004 09:00:04 -0300 "Peter Marshall" <peter.marshall@caris.com> wrote: > Hey guys, I know this sounds stupid, but I can not seem to get the value of > /proc/sys/net/ipv4/ip_forward to be 1 after boot. How do you test? Leslie ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:22 ` Patrick Leslie Polzer @ 2004-07-08 12:19 ` Antony Stone 2004-07-08 15:39 ` Patrick Leslie Polzer 0 siblings, 1 reply; 7+ messages in thread From: Antony Stone @ 2004-07-08 12:19 UTC (permalink / raw) To: netfilter On Thursday 08 July 2004 1:22 pm, Patrick Leslie Polzer wrote: > On Thu, 8 Jul 2004 09:00:04 -0300 > > "Peter Marshall" <peter.marshall@caris.com> wrote: > > Hey guys, I know this sounds stupid, but I can not seem to get the value > > of /proc/sys/net/ipv4/ip_forward to be 1 after boot. > > How do you test? cat /proc/sys/net/ipv4/ip_forward is a pretty reliable indicator :) Antony. -- What is this talk of "software release"? Our software evolves and matures until it is capable of escape, leaving a bloody trail of designers and quality assurance people in its wake. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:19 ` Antony Stone @ 2004-07-08 15:39 ` Patrick Leslie Polzer 0 siblings, 0 replies; 7+ messages in thread From: Patrick Leslie Polzer @ 2004-07-08 15:39 UTC (permalink / raw) To: netfilter On Thu, 8 Jul 2004 13:19:57 +0100 Antony Stone <Antony@Soft-Solutions.co.uk> wrote: > On Thursday 08 July 2004 1:22 pm, Patrick Leslie Polzer wrote: > > How do you test? > > cat /proc/sys/net/ipv4/ip_forward is a pretty reliable indicator :) Sure ;), but maybe he just noticed that the box is not forwarding any packets, which may of course be caused by a pre-installed FORWARD DROP policy. Leslie ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:00 how to automate ip_forward Peter Marshall 2004-07-08 12:15 ` Antony Stone 2004-07-08 12:22 ` Patrick Leslie Polzer @ 2004-07-08 12:54 ` Marco Colombo 2004-07-08 19:44 ` John A. Sullivan III 2 siblings, 1 reply; 7+ messages in thread From: Marco Colombo @ 2004-07-08 12:54 UTC (permalink / raw) To: Peter Marshall; +Cc: netfilter On Thu, 8 Jul 2004, Peter Marshall wrote: > Hey guys, I know this sounds stupid, but I can not seem to get the value of > /proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo > 1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash > script with my rules in it and a startup script in rc2.d that calls it) > > I also tried making a separate starup script just for the ip_forward and set > it to run in as the last thing in rc2,d ..... > > If anyone has any suggestions, I would greatly appreciate it. > > Thanks. > Peter That depends on the distro you're running. On Red Hat / Fedora distros, add (or change) the following line to /etc/sysctl.conf: net.ipv4.ip_forward = 1 The echo you're using should work, just make sure nothing else (i.e. sysctl) resets it to 0 later at boot time (but on RH and Fedora, sysctl -p occurs in rc.sysinit, so before any rc.[2345] script). As an alternative to the echo approach, you can use the sysctl command directly in your script. My iptables scripts start with: sysctl -w net.ipv4.ip_forward=0 and end with: sysctl -w net.ipv4.ip_forward=1 so that forwarding is disabled while the scripts are messing with rules: I tend to use the scripts at runtime now and then, disabling forwarding is just safer. .TM. -- ____/ ____/ / / / / Marco Colombo ___/ ___ / / Technical Manager / / / ESI s.r.l. _____/ _____/ _/ Colombo@ESI.it ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: how to automate ip_forward 2004-07-08 12:54 ` Marco Colombo @ 2004-07-08 19:44 ` John A. Sullivan III 0 siblings, 0 replies; 7+ messages in thread From: John A. Sullivan III @ 2004-07-08 19:44 UTC (permalink / raw) To: Marco Colombo; +Cc: Peter Marshall, netfilter Marco Colombo wrote: > On Thu, 8 Jul 2004, Peter Marshall wrote: > > >>Hey guys, I know this sounds stupid, but I can not seem to get the value of >>/proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo >>1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash >>script with my rules in it and a startup script in rc2.d that calls it) >> >>I also tried making a separate starup script just for the ip_forward and set >>it to run in as the last thing in rc2,d ..... >> >>If anyone has any suggestions, I would greatly appreciate it. >> >>Thanks. >>Peter > > > That depends on the distro you're running. On Red Hat / Fedora distros, > add (or change) the following line to /etc/sysctl.conf: > > net.ipv4.ip_forward = 1 > > The echo you're using should work, just make sure nothing else > (i.e. sysctl) resets it to 0 later at boot time (but on RH and > Fedora, sysctl -p occurs in rc.sysinit, so before any rc.[2345] > script). > > As an alternative to the echo approach, you can use the sysctl > command directly in your script. My iptables scripts start with: > > sysctl -w net.ipv4.ip_forward=0 > > and end with: > > sysctl -w net.ipv4.ip_forward=1 > > so that forwarding is disabled while the scripts are messing with rules: > I tend to use the scripts at runtime now and then, disabling forwarding > is just safer. > > .TM. Exactly. Plus, I believe you'll find that sysctl is called in /etc/init.d/network. As recommended, I tend to set the /etc/sysctl.conf setting to 0. While I am there, I also disable redirects and source routing. I then enable forwarding with the echo command (for platform independence) in my scripts after all the security scripts have successfully run. This way, if one of the iptables or *swan scripts fails, I fail safe and the gateway does not forward - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-07-08 19:44 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-07-08 12:00 how to automate ip_forward Peter Marshall 2004-07-08 12:15 ` Antony Stone 2004-07-08 12:22 ` Patrick Leslie Polzer 2004-07-08 12:19 ` Antony Stone 2004-07-08 15:39 ` Patrick Leslie Polzer 2004-07-08 12:54 ` Marco Colombo 2004-07-08 19:44 ` John A. Sullivan III
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox