iptables forwarding not working/iptables-save not saving

Bill Davidsen davidsen at tmr.com
Fri Nov 21 19:22:31 UTC 2008 

Antonio Olivares wrote:
> --- On Thu, 11/20/08, Chuck Anderson <cra at WPI.EDU> wrote:
> 
>> From: Chuck Anderson <cra at WPI.EDU>
>> Subject: Re: iptables forwarding not working/iptables-save not saving
>> To: fedora-test-list at redhat.com
>> Date: Thursday, November 20, 2008, 12:33 PM
>> On Thu, Nov 20, 2008 at 12:26:26PM -0800, Antonio Olivares
>> wrote:
>>> Sorry for double post :(  Yahoo mail was misbehaving
>> :(  
>>> Here's some info to clarify things 
>>>
>>> [root at localhost ~]# service iptables stop
>>> [root at localhost ~]# iptables -A FORWARD -i eth1 -o
>> eth0 -j ACCEPT [1]+  Done                    gedit
>> /etc/sysconfig/iptables       
>>> [root at localhost ~]# iptables -A FORWARD -i eth0 -o
>> eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT         
>>                                                
>>> [root at localhost ~]# iptables -A POSTROUTING -t nat -s
>> 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.154.19.210    
>>                                     
>>> [root at localhost ~]# iptables-save
>>> # Generated by iptables-save v1.4.1.1 on Thu Nov 20
>> 13:14:50 2008
>>
>> The output of "iptables-save" goes to your
>> terminal, it isn't 
>> stored anywhere.
>>
>>> The iptables get back to original state.  error in
>> iptables-save ?/bug
>>
>> Nope, you need to do this instead:
>>
>> service iptables save
>>
>> -- 
> 
> 
> Thank you all for helping me with this.  I have done this and I hope that it will work :)
> 
I doubt that it will work as expected. You appear to have a policy of ACCEPT on 
FORWARD, and lack the usual REJECT rule at the end of the rules, so everything 
gets forwarded and your rules don't do anything to prevent it. Also, if you 
didn't enable forwarding in /proc/sys/ your system won't forward. Also, you 
probably don't want the interfaces on the RELATED line, as you will work better 
if you forward in both directions, assuming you change the policy and return to 
normal security.

In other words, you will have no security, because you appear to forward 
everything. Use "iptables -L FORWARD -nv" to see if the policy is being used to 
forward anything it sees.

Excerpt from my FC9 table save: (note the last rule)
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34700:4826013]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited


-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

More information about the fedora-test-list mailing list