setting router in SLES

vkmgeek · 04-23-2008, 04:57 PM

Hi,
I want to set a router in Linux. My distro is SLES10 SP1.
My network configuration is as below.

Machine-A ----------> Router SLES10 box ----------> Machine-B
(x.x.57.2) (eth1-x.x.57.1)(eth2-y.y.59.1) (y.y.59.2)

I tried doing
1. echo 1 > /proc/sys/net/ipv4/ip_forward
2. iptables -A FORWARD -s y.y.59.2 -d x.x.57.2
3. iptables -A FORWARD -s y.y.57.2 -d x.x.59.2

But nothing is working. Firewall is also off. Do I hv to restart iptables service? But in SLES, if I do service iptables restart, it gives no such service...

Your help would be more than welcome.

jschiwal · 04-23-2008, 07:08 PM

I once used my laptop to route internet traffic between my desktop & wireless router. ( The desktop didn't have wireless then. ). ( Using openSUSE )

Quote:

echo 1 > /proc/sys/net/ipv4/ip_forward

This is done as well in the YaST interface setup. If you enable forwarding, that is what is done in the startup scripts.

You also need to configure the routes. You can use the "route" or "ip" command for that.

I found that I also needed to enable the "ip_conntrack" module before routing would work. On the kernel that I use now the names of the modules have changed. I think that you want to modprobe the "nf_conntrack_ipv4" and "nf_conntrack_ipv4" kernel modules. I am not certain about the old name. It might have been ip_conntrack or maybe tcp_conntrack.

Anyway, configuring the routes and modprobing the *_conntrack modules are parts you are missing. You shouldn't need to configure iptables unless you are also configuring NAT. And even that you may be able to do from the YaST2 interface & firewall configuration wizards.

I wouldn't bother with this and instead use a NAT router. However If you want to run a proxy or IDS, then running a Linux router (or brouter) would enable you to handle all of the internet traffic.

----

Also look in the /etc/sysconfig/SuSEfirewall2 script. You can make a lot of general changes like NAT, selecting interfaces, or inserting custom rules there. This file is well commented and structured to work with the SuSEfirewall2 script/service.

Editing this file is equivalent to running "YaST2 firewall". Here is a part the deals with forwarding:

Code:

## Type:        yesno
## Default:     no
#
# 5.)
# Should routing between the internet, dmz and internal network be
# activated?
#
# Set this to "yes" if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but
# this is not a good idea).
#
# This option overrides IP_FORWARD from
# /etc/sysconfig/network/options
#
# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
# your internal network to the internet, or configure FW_FORWARD to
# define what is allowed to be forwarded. You also need to define
# internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
#
# defaults to "no" if not set
#
FW_ROUTE="no"

salasi · 04-24-2008, 02:57 AM

Quote:

But in SLES, if I do service iptables restart, it gives no such service...

In SuSE (certainly OpenSuSE and its predecessor SuSE Linux - I'm assuming SLES is the same) firewalling is done in two phases, both called SuSE-firewall-something-or-another. So these are the processes that you would need to stop and start.

So, while these use Iptables, that isn't the name of the service.

You can (& probably should) do this from Yast, as Yast can get a bit upset if you go behind its back and do things elsewhere that you should do from Yast. Look for the services menu.

jschiwal · 04-24-2008, 03:02 AM

Does SLED have the same rc* scripts that openSUSE does? If so, then "sudo /sbin/rcSuSEfirewall2 restart" will restart your firewall. However, restarting your firewall will clear out the rules at the start of the script.

vkmgeek · 04-24-2008, 05:11 PM

Thanks all
The prob is solved now