Hello:

I have a setup like the following with IP addresses of the different interfaces shown:

Host A (3.0.0.2)<---->(3.0.0.1)Linux Box(3.0.1.1)<----->(3.0.1.2)Host B

I am trying to send packets from Host A to Host B and vice versa, however I cannot get Linux to forward the packets. I have tried the following steps:

set net.ipv4.ip_forward = 1 in /etc/sysctl.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
reboot

I can ping fine on all the interfaces (except of course I cannot ping between Host A and Host B). I am running Red Hat release 5.2. Below is some output from tcpdump, netstat, route, and ifconfig - all from the Linux Box. I can't seem to get any useful information as to why the packets aren't going through. Can someone enlighten me as to how to set this up properly?

Thanks,
Zack

------------------------------------------------------------------------

[root@localhost eth2]# netstat -s
Ip:
18810015 total packets received
0 forwarded
0 incoming packets discarded
50 incoming packets delivered
56 requests sent out
Icmp:
6 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 6
6 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 6
IcmpMsg:
InType3: 6
OutType3: 6
Tcp:
0 active connections openings
0 passive connection openings
0 failed connection attempts
0 connection resets received
0 connections established
0 segments received
0 segments send out
0 segments retransmited
0 bad segments received.
0 resets sent
Udp:
38 packets received
6 packets to unknown port received.
0 packet receive errors
44 packets sent
TcpExt:
0 packets header predicted
0 TCP data loss events
IpExt:
InMcastPkts: 30
OutMcastPkts: 36
InBcastPkts: 95

--------------------------------------------------------------------


[root@localhost eth2]# tcpdump -i eth2 -vv
tcpdump: listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
02:26:34.976099 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto: TCP (6), length: 46) 3.0.0.1.0 > 3.0.1.2.0: ., cksum 0x3143 (correct), 0:6(6) win 0

----------------------------------------------------------------------

ifconfig output for relevant interfaces:
eth2 Link encap:Ethernet HWaddr 00:1B:21:36:09:B4
inet addr:3.0.0.1 Bcast:3.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:18809621 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1128577260 (1.0 GiB) TX bytes:7902 (7.7 KiB)

eth3 Link encap:Ethernet HWaddr 00:1B:21:36:09:B5
inet addr:3.0.1.1 Bcast:3.0.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:7897 (7.7 KiB)

----------------------------------------------------------------------

[root@localhost eth2]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.23.25.128 0.0.0.0 255.255.255.128 U 0 0 0 eth0
3.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
3.0.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
0.0.0.0 172.23.25.129 0.0.0.0 UG 0 0 0 eth0

is the issue not on the host machines? Do they have routes to the remote network via your middle man?

Hey Acid, actually the two "hosts" on either side are traffic generators so I can force them to send packets. As you can see from the incrementing Rx counters from "ifconfig eth2," packets are received by the Linux Box, and somewhere in the kernel they are disappearing. The tcpdump shows (I think) that the IP header is correct.

As acid_kewpie said did you check the route?
You should tell to the hostB how to reach hostA network and vice versa

Hmm, ok, deleting what i'd previously written here, yeah OK so traffic is hitting it. do you have any firewall stuff running? What does iptables -L -n -v say?

let's cat /proc/sys/net/ipv4/ip_forward to prove it's set. You did an echo and then reboot the box, so that will wipe out that config so you've only got the first sysctl detail being relevant.

Hey Acid, thanks for helping me out. It looks like iptables output might give us a clue. I see that FORWARDING target is some firewall and large number of packets are getting counted as "REJECT." I'm not very familiar with iptables, I imagine I can just turn this firewall off and ACCEPT all packets on the FORWARD chain?

BTW, I did cat /proc/sys/net/ipv4/ip_forward and it is set, as is /proc/sys/net/ipv4/conf/eth2 and /proc/sys/net/ipv4/conf/eth3.

Thanks,
Zack

-----------------------------------------------------------------------

[root@localhost kfa]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
73180 109M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6685K 308M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 37567 packets, 2051K bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
36 4179 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0
39 9581 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
73011 108M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
6685K 308M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Yeah that'll do it. just shutdown / flush iptables temporarily, not going to cause any issues.

Yup, works fine now. Thanks again!