5

This question is related to the answer & comment in What is kernel ip forwarding?

from @LawrenceC

post1:

So in the above example, if you have an internet connection on NIC 2, you'd set NIC 2 as your default route and then any traffic coming in from NIC 1 that isn't destined for something on 192.168.2.0/24 will go through NIC 2.

and also post2:

the internet-facing interface (NIC 1 per above) needs a MASQUERADE rule in iptables's POSTROUTING on a chain to do that. See revsys.com/writings/quicktips/nat.html

At http://www.revsys.com/writings/quicktips/nat.html it says:

Then you'll need to configure iptables to forward the packets from your internal network, on /dev/eth1, to your external network on /dev/eth0.

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Why I'd use FORWARD (according to post2) if the forward is already done by only setting ip_forward (according to post1):

echo 1 > /proc/sys/net/ipv4/ip_forward
Adrian
  • 659
  • 1
  • 7
  • 29
  • Setting `ip_forward` allows the network stack to forward packets from one interface to another. You do not need any additional packet filtering or routing specified if all you want is for packets to be forwarded from one locally attached network to another locally attached network. However, if you want to specify routes (other than default) to specific remote networks, or to perform other packet rewriting (nat, in the example above), you will need to specify more than just the `ip_forward` sysctl. – user4556274 Apr 16 '17 at 22:15

1 Answers1

6

Setting ip_forward allows packet forwarding in general. Some Linux distributions may disallow forwarded packets in iptables for security reasons, e.g. if ip_forward is set by error.

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

sets a rule to allow packets from eth0 to eth1 that are responses or similary related packets to an already established connection.

/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

sets an explicit rule to allow packets from eth1 to eth0.

This allows clients from eth1 to access servers behind eth0 regardless of the default iptables configuration.

cg909
  • 6,908
  • 1
  • 27
  • 30
  • loved your answer here! I also had a question regarding iptables which I was wondering if you might know the reasoning behind: https://unix.stackexchange.com/questions/359884/understanding-an-iptables-shell-script – Webeng Apr 19 '17 at 08:00