IP packet forwarding

arrowheart · #1 6th November 2007, 05:28 PM

Let me tell you some background first.

I have four hosts, one is a gateway, or a hub, the other three are internal hosts. Each internal host has an IPSec host-to-host connection with the hub. By configuring IPsec connections and activating IP forwarding (echo "1" > /proc/sys/net/ipv4/ip_forward), all traffics between internal hosts must go through the hub. For example, if host1 wants to ping host2, ICMP request will be sent to the hub first, then the hub will forward it to host2; similarly, ICMP reply from host2 will go to the hub and be forwarded to host1 later. The procedure is transparent to all internal hosts.

The problem is that if I run a script on the hub to add some rules to iptables, the ip forwarding functionality mentioned above is disabled. If host1 pings host2, I can see ICMP requests are being sent to the hub, but the hub does not forward them to host2. The following is the script used to add rules:

-----------------------------------------------------------
EXT=eth1
INT=eth0

echo "1" > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F INPUT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F

/sbin/iptables -A PREROUTING -t nat -i $EXT -p tcp --dport 420 -j DNAT --to 192.168.1.20:443
/sbin/iptables -A FORWARD -i $EXT -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A PREROUTING -t nat -i $EXT -p tcp --dport 421 -j DNAT --to 192.168.1.21:443
/sbin/iptables -A FORWARD -i $EXT -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A PREROUTING -t nat -i $EXT -p tcp --dport 422 -j DNAT --to 192.168.1.22:443
/sbin/iptables -A FORWARD -i $EXT -p tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#/sbin/iptables -A PREROUTING -t nat -i $EXT -p tcp --dport 45 -j DNAT --to 192.168.1.5:443
#/sbin/iptables -A FORWARD -i $EXT -p tcp --dport 442 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A PREROUTING -t nat -i $EXT -p tcp --dport 430 -j DNAT --to 192.168.1.20:80
/sbin/iptables -A FORWARD -i $EXT -p tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -i $EXT -o $INT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i $INT -o $EXT -j ACCEPT
/sbin/iptables -A FORWARD -j LOG --log-prefix "FOWARD dropped "
/sbin/iptables -A FORWARD -j DROP

/sbin/iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

-----------------------------------------------------------

Can anybody tell me what's wrong with the script and how I should change it?

Thanks a lot!

arrowheart · #2 6th November 2007, 11:59 PM

Ok, I got it. I need add one ACCEPT rule for FOWWARD chain in case of internal hosts.