Solution: NAT failure unless firewall is started twice
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Solution: NAT failure unless firewall is started twice
I'm running Fedora 10, so your mileage may vary. This is a problem I recently solved and thought that others might benefit from it.
I have a server with two NICs. My eth0 goes to my cable modem and eth1 goes to the internal network. Also, eth0 is the gateway for network.
If the server is freshly booted then the internal network machines can not see the outside world. But the network became visible if the firewall was rebooted. Also, note that the firewall was the same both before and after restart.
The solution terms out to be the following:
In /etc/sysctl.conf, this must be set.
net.ipv4.ip_forward = 1
otherwise NAT won't function. In my case, the firewall was actually setting ip_forward to the correct value, but the network service script was resetting all kernel params based on the content of /etc/sysctl.conf.
So, the old sequence went like this at boot
firewall start # ip_forward turned on
network start # ip_forward turned off
firewall restart # ip_forward turned back on.
Now with the setting properly set in sysctl.conf, the startup works correctly.
I'm running Fedora 10, so your mileage may vary. This is a problem I recently solved and thought that others might benefit from it.
I have a server with two NICs. My eth0 goes to my cable modem and eth1 goes to the internal network. Also, eth0 is the gateway for network.
If the server is freshly booted then the internal network machines can not see the outside world. But the network became visible if the firewall was rebooted. Also, note that the firewall was the same both before and after restart.
The solution terms out to be the following:
In /etc/sysctl.conf, this must be set.
net.ipv4.ip_forward = 1
otherwise NAT won't function. In my case, the firewall was actually setting ip_forward to the correct value, but the network service script was resetting all kernel params based on the content of /etc/sysctl.conf.
So, the old sequence went like this at boot
firewall start # ip_forward turned on
network start # ip_forward turned off
firewall restart # ip_forward turned back on.
Now with the setting properly set in sysctl.conf, the startup works correctly.
It seems like a fairly common newbie mistake to believe that the iptables service script will take care of enabling IP forwarding. As you've found out, that isn't the case. The sysctl.conf suggestion you've made is pretty much the standard way of making sure IP forwarding is enabled. Another option would be to echo into /proc from a startup script (such as rc.local).
It seems like a fairly common newbie mistake to believe that the iptables service script will take care of enabling IP forwarding. As you've found out, that isn't the case. The sysctl.conf suggestion you've made is pretty much the standard way of making sure IP forwarding is enabled. Another option would be to echo into /proc from a startup script (such as rc.local).
Just to be clear, the firewall was setting ip_forward but the networking script which comes after the firewall at boot time was actually re-executing the sysctl.conf file. That re-execution was shutting ip_forward off. I am not using the iptables service at all; I'm using another firewall. Prior to Fedora 10, I had no need to set ip_forward in the conf file.
Just to be clear, the firewall was setting ip_forward but the networking script which comes after the firewall at boot time was actually re-executing the sysctl.conf file. That re-execution was shutting ip_forward off. I am not using the iptables service at all; I'm using another firewall. Prior to Fedora 10, I had no need to set ip_forward in the conf file.
Thanks for the clarification. They most likely prefer it if people use the actual iptables service, with which you'll need to edit sysctl.conf anyway. But if you didn't see this behavior before then it could be a bug I guess. You could break your script into two sections, one for iptables commands and one for setting kernel parameters (which you'd place further down the startup, like in rc.local, for example). Although, honestly, the cleanest choice IMHO is indeed sysctl.conf.
Thanks for the clarification. They most likely prefer it if people use the actual iptables service, with which you'll need to edit sysctl.conf anyway.
BTW, why aren't you using the iptables service?
I doubt that there are any theys who would have any preference for how or whether I set up my firewall. There are a number of firewall encapsulations out there for iptables. The one I use is something called fiaif, for Fiaif Is An Intelligent Firewall. It's easy to configure and it gives very fine controls.
I doubt that there are any theys who would have any preference for how or whether I set up my firewall.
LOL! Good point.
Quote:
There are a number of firewall encapsulations out there for iptables. The one I use is something called fiaif, for Fiaif Is An Intelligent Firewall. It's easy to configure and it gives very fine controls.
You should check in with their mailing list to see what's up.
I mean, if FIAIF is supposed to let you set kernel parameters, and they are getting reset, that's a bug.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.