On Sat, Mar 08, 2008 at 03:37:54PM -0500, David Zelinsky wrote: > I'm trying to set up a firewall/gateway, and I can't seem to get > ip forwarding to work. I'm using linux kernel 2.6.23 with iptables > enabled. Here's what happens. > > The firewall machine has two interfaces (both on private networks, for > testing purposes): > > IF IP Netmask > eth0 192.168.0.1 255.255.255.0 > eth1 10.0.0.1 255.255.255.0 can you do a ip r on the firewall machine on the machine at 192.168.0.2 on the 192.168.0.2 can yo also do a ip r g 10.0.0.2 if that all looks okay, then try tcpdump firewall whilst doing something like traceroute 10.0.0.2 from the 192.168.0.2 machine > > This is the routing table: > > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > > I enable IP forwarding, with 'echo 1 >/proc/sys/net/ipv4/ip_forward' > > I have the iptables_* modules loaded (* = forward,nat,mangle,raw). > There are no rules in any of the tables, but all have ACCEPT as the > default policy. > > I have two other machines, one at 192.168.0.2 (connected to the same > hub as firewall's eth0) and one at 10.0.0.2 (connected via crossover > to firewall's eth1). > > >From the firewall, I can ping both the other hosts. > >From either host, I can ping the firewall at both 192.160.0.1 and 10.0.0.1. > > With this setup, I expect to be able to ping 10.0.0.2 from 192.168.0.2 > (and vice versa), with packets routed through the firewall, but it > doesn't work. > > What am I overlooking? > > I did try putting explicit iptables rules in the FILTER chain of the > forward table, but it didn't make any difference. > > Any suggestions would be much appreciated. > > -- > David Zelinsky > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > > -- "We need to apply 21st-century information technology to the health care field. We need to have our medical records put on the I.T." - George W. Bush 01/05/2005 Collinsville, IL
Attachment:
signature.asc
Description: Digital signature