IP Forwarding/Routing not working in Fedora 2
I just upgraded my RedHat 9 server with a clean installation of Fedora Core 2. This machine acts as a gateway to the other computers in my house but is no longer routing traffic since the upgrade. Here's what I've checked so far:
I have "net.ipv4.ip_forward = 1" set in /etc/sysctl.conf. echo 1 > /proc/sys/net/ipv4/ip_forward ipt_MASQUERADE module is loaded I've tried this with iptables off Here's my current /etc/sysconfig/iptables: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT eth0 is my trusted interface, eth1 is the one hooked up the the Internet. I can get out from my Fedora box, I can ssh into it from a remote computer but hosts on my internal network can not get out. Pinging from an internal host resolves the name but the ping never makes it out. Any help is greatly appreciated! |
umm I think you need to add the actual masquerading to the iptables rules...something like this could do:
/sbin/iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE /sbin/iptables --append FORWARD --in-interface eth0 -j ACCEPT try that out :) |
Yeah, I tried that before (and again right now) and it didn't work :-( It worked find in RH9. I can't help but think I'm missing something stupid. Here's the output of "iptables -L"
------------------------------------------ Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT udp -- 127.127.1.0 anywhere udp spt:ntp dpt:ntp ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ------------------------------------------ It looks like it should be forwarding all input... I have no idea where to go from here. |
hmm...odd. mine worked like a magic, when I first set up the ethernet so I could ping others and then just set the masquerade- and forward-iptables-rules..and of course set the /proc/sys/net/ipv4/ip_forward to 1.
I really can't imagine a solution now..I'll post here if I get an idea. so the pings don't work either? |
Pings work from my linux box itsel but not from any other hosts on my network (using it as a gateway). Do I need to add the lines you recommended from a specific location in my /etc/sysconfig/iptables?
I'm really at a loss here. Don't know where else to turn :-) |
I think you need to add the MASQUERADE rule too.
Quote:
would give a more detailed output. |
Well, I'm almost embarrassed to admit it. I knew it would be something stupid! I upgraded the firmware on two of my routers last week. Apparently this turned DHCP back on (both of them, Linksys AND Netgear) and they were feeding incorrect information to my clients. Once I turned them both back off, my clients picked up the correct information from my "real" DHCP server and were able to find their gateway :-)
Interesting though... my dhcpd.leases is empty.... Thanks everyone!! Just goes to show you, sometimes you _have_ to ask the obvious questions (is the power on?!) :-P |
heh - well, good you got it working :)
|
All times are GMT -5. The time now is 07:15 PM. |