I'm trying to set up a firewall/gateway, and I can't seem to get
ip forwarding to work. I'm using linux kernel 2.6.23 with iptables
enabled. Here's what happens.

The firewall machine has two interfaces (both on private networks, for
testing purposes):

IF IP Netmask
eth0 192.168.0.1 255.255.255.0
eth1 10.0.0.1 255.255.255.0

This is the routing table:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1

I enable IP forwarding, with 'echo 1 >/proc/sys/net/ipv4/ip_forward'

I have the iptables_* modules loaded (* = forward,nat,mangle,raw).
There are no rules in any of the tables, but all have ACCEPT as the
default policy.

I have two other machines, one at 192.168.0.2 (connected to the same
hub as firewall's eth0) and one at 10.0.0.2 (connected via crossover
to firewall's eth1).

From the firewall, I can ping both the other hosts.
From either host, I can ping the firewall at both 192.160.0.1 and 10.0.0.1.

With this setup, I expect to be able to ping 10.0.0.2 from 192.168.0.2
(and vice versa), with packets routed through the firewall, but it
doesn't work.

What am I overlooking?

I did try putting explicit iptables rules in the FILTER chain of the
forward table, but it didn't make any difference.

Any suggestions would be much appreciated.

--
David Zelinsky

Never mind, I found my mistake. The routing table of one of the hosts
was not exactly as described below, and was causing return packets to be
lost. I made the configuration actually agree with what I described and
now it works. Sorry to bother people.

David Zelinsky wrote:
> I'm trying to set up a firewall/gateway, and I can't seem to get
> ip forwarding to work. I'm using linux kernel 2.6.23 with iptables
> enabled. Here's what happens.
>
> The firewall machine has two interfaces (both on private networks, for
> testing purposes):
>
> IF IP Netmask
> eth0 192.168.0.1 255.255.255.0
> eth1 10.0.0.1 255.255.255.0
>
> This is the routing table:
>
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
>
> I enable IP forwarding, with 'echo 1 >/proc/sys/net/ipv4/ip_forward'
>
> I have the iptables_* modules loaded (* = forward,nat,mangle,raw).
> There are no rules in any of the tables, but all have ACCEPT as the
> default policy.
>
> I have two other machines, one at 192.168.0.2 (connected to the same
> hub as firewall's eth0) and one at 10.0.0.2 (connected via crossover
> to firewall's eth1).
>
> From the firewall, I can ping both the other hosts.
> From either host, I can ping the firewall at both 192.160.0.1 and 10.0.0.1.
>
> With this setup, I expect to be able to ping 10.0.0.2 from 192.168.0.2
> (and vice versa), with packets routed through the firewall, but it
> doesn't work.
>
> What am I overlooking?
>
> I did try putting explicit iptables rules in the FILTER chain of the
> forward table, but it didn't make any difference.
>
> Any suggestions would be much appreciated.
>

Could you write down your configuration? It's exactly the problem I'm
trying to solve.. thanks a lot!