Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] IPTables forwarding doesn't work after reboots
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
durty_nacho
Tux's lil' helper
Tux's lil' helper


Joined: 22 Jul 2004
Posts: 128
Location: Dallas

PostPosted: Thu Jun 09, 2011 11:00 pm    Post subject: [SOLVED] IPTables forwarding doesn't work after reboots Reply with quote

I just updated my system, as I do each month. After this update, which happens to be the update in which I switched over to the new baselayout, IPTables will not forward packets at boot. The rules are all there, but I have to flush them and re-enter them before they work. I can do that and reboot all day, and they will never work at boot until I flush and reapply them.

I can get to the internet all day from the system, and my internal machines can get to my Gentoo box's inside interface, but I cannot get forwarded out until I reapply the rules. Anybody else having this problem? Here are my rules, taken straight from the Gentoo home router guide, with modifications for OpenVPN and Blockhosts, and a few other ports.

Code:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N blockhosts
-A INPUT -j blockhosts
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 53 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 67 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 0:1023 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 0:1023 -j DROP
-A FORWARD -j blockhosts
-A FORWARD -d 10.10.10.16/28 -i eth0 -j DROP
-A FORWARD -s 10.10.10.16/28 -i eth0 -j ACCEPT
-A FORWARD -d 10.10.10.16/28 -i eth1 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT

_________________
More ways to blow blood cells in your face
React with four bombs and six fire missiles
Armed with seven rounds of space doo-doo pistols


Last edited by durty_nacho on Fri Jun 10, 2011 2:59 am; edited 3 times in total
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2183
Location: Kentucky

PostPosted: Fri Jun 10, 2011 1:45 am    Post subject: Reply with quote

Did you re-save your iptables rules using /etc/init.d/iptables save ?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
durty_nacho
Tux's lil' helper
Tux's lil' helper


Joined: 22 Jul 2004
Posts: 128
Location: Dallas

PostPosted: Fri Jun 10, 2011 1:46 am    Post subject: Reply with quote

Yes, I do each time before I reboot and test.
_________________
More ways to blow blood cells in your face
React with four bombs and six fire missiles
Armed with seven rounds of space doo-doo pistols
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2183
Location: Kentucky

PostPosted: Fri Jun 10, 2011 2:01 am    Post subject: Reply with quote

I seemed to recall that I had a similar problem with several dual-homed machines after the new base layout upgrade, so I looked at those machine to see what I did. It appears that I put an entry in /etc/local.d/baselayout.start to restart iptables using /etc/init.d/iptables start and that seemd to work, so I didn't analyze it, as I had bigger fish to fry. :?
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
durty_nacho
Tux's lil' helper
Tux's lil' helper


Joined: 22 Jul 2004
Posts: 128
Location: Dallas

PostPosted: Fri Jun 10, 2011 2:48 am    Post subject: Reply with quote

Found it. After the updates, net.ipv4.ip_forward was reset to 0 in /etc/sysctl.conf. It needs to be 1 in order to forward, which is the aspect of my routing that wasn't working.

Thanks for your input Moriah, much appreciated!
_________________
More ways to blow blood cells in your face
React with four bombs and six fire missiles
Armed with seven rounds of space doo-doo pistols
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2183
Location: Kentucky

PostPosted: Fri Jun 10, 2011 3:28 am    Post subject: Reply with quote

Oh yeah! Now I remember... :oops:
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum