LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-11-2014, 06:10 AM   #1
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Packet forwarding: rc.firewall vs. rc.ip_forward


Hi,

I'm running Slackware64 14.1 on my LAN server, a little HP Proliant box that acts as local firewall, router, proxy, file server etc.

My firewall is a simple hand-crafted rc.firewall script. Among other things, it contains a line to forward packets:

Code:
# Packet forwarding
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j MASQUERADE
The rc.ip_forward script is activated accordingly.

I wonder if this is the right place for the forwarding iptables rule. I'm hesitant about putting it somewhere in rc.ip_forward.

How do you folks configure this?
 
Old 09-11-2014, 06:35 AM   #2
StreamThreader
Member
 
Registered: Mar 2012
Location: Ukraine/Odesa
Distribution: Slackware
Posts: 152

Rep: Reputation: 64
I use same way, create rc.firwall, and invoke it from rc.local, if it execute bit set.
 
Old 09-11-2014, 07:10 AM   #3
kikinovak
MLED Founder
 
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453

Original Poster
Rep: Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154Reputation: 2154
Quote:
Originally Posted by StreamThreader View Post
I use same way, create rc.firwall, and invoke it from rc.local, if it execute bit set.
You don't need to invoke it from rc.local. Check out /etc/rc.d/rc.inet2:

Code:
# If there is a firewall script, run it before enabling packet forwarding.
# See the HOWTOs on http://www.netfilter.org/ for documentation on
# setting up a firewall or NAT on Linux.  In some cases this might need to
# be moved past the section below dealing with IP packet forwarding.
if [ -x /etc/rc.d/rc.firewall ]; then
  /etc/rc.d/rc.firewall start
fi
My question was: does rc.firewall or rc.ip_forward seem a more appropriate place to put an iptables packet forwarding rule?
 
1 members found this post helpful.
Old 09-11-2014, 08:18 AM   #4
TracyTiger
Member
 
Registered: Apr 2011
Location: California, USA
Distribution: Slackware
Posts: 528

Rep: Reputation: 273Reputation: 273Reputation: 273
Quote:
Originally Posted by kikinovak View Post
My question was: does rc.firewall or rc.ip_forward seem a more appropriate place to put an iptables packet forwarding rule?
Thanks for educating me. I didn't even know that rc.ip_forward existed. But I haven't used Slackware as a router for a while.

Whenever I've set up Slackware as a multiple port router I just put everything into rc.firewall. I started this practice a few years ago and the rc.xxxx files have changed some over the years. My rc.firewall scripts were long and of course customized for the router needs at the time. I put all the kernel flag setting (via the /proc system) in the first section of the script where I also set up the variables used by the script.

As you know it's all just scripts, one script running another, so it's just an organizational style issue.

If I was setting up a router today I would try to follow the default Slackware structure as much as possible and put my firewall rules in rc.firewall. I'd let the rc.inet2 script run both rc.firewall and rc.ip_forward as it looks like it does these days.

This way rc.ip_forward could stay unaltered and all the changes that happen over time are confined to the rc.firewall file. If I want to see the state of things with the firewall setup on a box I would find most of the information in the appropriately named "rc.firewall" file.

Regarding the sequence of running the scripts, note the sentence in your quote about possibly changing the order in which these two scripts execute...

Code:
In some cases this might need to be moved past the section below dealing with IP packet forwarding.
As I mentioned, I always enabled the forwarding first. I note this in case you end up using the default rc.inet2 method and have trouble. Current documentation on netfilter will probably describe the sequence issues.

HTH

EDIT: Organizationally, notice that the rc.ip_forward file doesn't use the "iptables" command. Only kernel flags are set.

It is probably better to keep all of your "iptables" commands in the same file so you can more easily spot sequencing issues or other conflicting command problems. (of course that could still be in the rc.ip_forward file)

The naming of the file "rc.ip_forward" suggests it's purpose. To put commands other than "forwarding" commands in the file makes it less clean. You could argue that your iptables command is about forwarding, but if you add additional iptables commands later they should be kept together and those iptables commands may not be about packet forwarding.

Whew...a lot of typing over a single iptables command.

EDIT2: allend and 55020 make better arguments in much less space.

Last edited by TracyTiger; 09-11-2014 at 09:22 AM. Reason: Drank more coffee and woke up more
 
1 members found this post helpful.
Old 09-11-2014, 08:19 AM   #5
allend
LQ 5k Club
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware64-15.0
Posts: 6,409

Rep: Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775Reputation: 2775
My take on this is that I do not want forwarding without iptables rules, so I prefer to to activate packet forwarding within the iptables script (rc.firewall).
 
Old 09-11-2014, 08:38 AM   #6
55020
Senior Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,307
Blog Entries: 4

Rep: Reputation: Disabled
rc.firewall is what GOD would use [citation needed]. It's like rc.local, it is the designated container for your iptables commands.

rc.ip_forward isn't really intended for local commands. You *can* add them there, but you will have extra work to merge your old copy into Pat's new copy every time network-scripts is upgraded.
 
Old 09-11-2014, 02:37 PM   #7
glorsplitz
Senior Member
 
Registered: Dec 2002
Distribution: slackware!
Posts: 1,337

Rep: Reputation: 376Reputation: 376Reputation: 376Reputation: 376
When I had my firewall/router/file server couple years ago, using standalone tplink router now, I got rc.firewall from Easy Firewall Generator, I left that alone and made rule changes/additions in rc.local as that's last thing rc.M does and all the network stuff seemed to be done at that point.

Last edited by glorsplitz; 09-11-2014 at 02:52 PM.
 
Old 09-12-2014, 05:17 AM   #8
eloi
Member
 
Registered: Nov 2010
Posts: 227

Rep: Reputation: 61
I see in /etc/rc.d/rc.inet2 that rc.ip_forward is read *after* rc.firewall:

Code:
if [ -x /etc/rc.d/rc.firewall ]; then
  /etc/rc.d/rc.firewall start
fi

# Turn on IPv4 packet forwarding support.
if [ -x /etc/rc.d/rc.ip_forward ]; then
  . /etc/rc.d/rc.ip_forward start
fi
I've never used rc.ip_forward. I use to include the command:

Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
in the rc.firewall itself *before* iptables related to forwarding. For example:

Code:
ps x | grep dnsmasq >/dev/null || sh /etc/rc.d/rc.dnsmasq start
iptables -t nat -A POSTROUTING -o $ext -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -i $int -j ACCEPT
iptables -A OUTPUT -o $int -j ACCEPT
iptables -A FORWARD -i $int -j ACCEPT
I ignore if adding the rules *after* could mean a problem (and I'd like to know it).
 
Old 09-12-2014, 10:03 AM   #9
rg3
Member
 
Registered: Jul 2007
Distribution: Fedora
Posts: 527

Rep: Reputation: Disabled
It's not a problem, eloi. However, for a fraction of a second you would have forwarding enabled without any firewalling rules. Depending on what those rules set, it could be considered a small security hole while booting the system. It's better if you enable the firewalling rules before allowing packet forwarding in the kernel.
 
1 members found this post helpful.
Old 09-12-2014, 10:53 AM   #10
eloi
Member
 
Registered: Nov 2010
Posts: 227

Rep: Reputation: 61
Quote:
Originally Posted by rg3 View Post
It's not a problem, eloi. However, for a fraction of a second you would have forwarding enabled without any firewalling rules. Depending on what those rules set, it could be considered a small security hole while booting the system. It's better if you enable the firewalling rules before allowing packet forwarding in the kernel.
OK. Thanks!

Anyway my script has previous rules (starting with a drop policy).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Disabling IPv4 packet forwarding: net.ipv4.ip_forward = 0 (CentOS 5.5) troiwulful Red Hat 3 11-22-2010 11:04 AM
Netfilter kernel module hook at PREROUTING forward packet use ip_forward(sk_buff) lukeshih Programming 0 11-18-2010 03:35 AM
Simple Port Forwarding Firewall - not forwarding MadTurki Linux - Security 14 04-09-2006 12:08 PM
packet fragmentation in packet forwarding code cranium2004 Linux - Networking 0 05-16-2005 04:05 AM
port forwarding and packet forwarding syrtsardo Linux - Newbie 2 07-03-2003 10:37 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration