[Nottingham] Problems configuring second network card

David Luff nottingham at mailman.lug.org.uk
Mon Apr 7 01:06:02 2003


David Luff writes:

> Mike writes:
> 
> > On Sun, 2003-04-06 at 01:07, David Luff wrote:
> 
> > > cat /proc/sys/net/ipv4/ip_forward gives 0 :-(
> > > 
> > > After echo "1" > /proc/sys... it still gives 0.
> > 
> > no idea why this doesn't work but if you do vi
> > /proc/sys/net/ipv4/ip_forward and change 0 to 1 this should have the
> > same effect
> > 
> 
> I found that in /etc/network/options there was the line
> ip_forward=no
> 
> Changing this to ip_forward=yes had the required effect.
> 
> I still couldn't get forwarding to work until I typed
> 
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> 
> which I found on the Libranet forums (other folk have apparently had this problem!), at which point it worked - the 'doze box connected to the net :-)
> 
> However, I'm not entirely sure why I had to type this - my firewall script (MonMotha) contains the following:
> 
> # Set up basic NAT if the user wants it
> if [ "$MASQ_LAN" != "" ] ; then
> 	echo -n "Setting up masquerading: "
> 	if [ "$MAC_MASQ" = "" ] ; then
> 		for subnet in ${MASQ_LAN} ; do
> 			${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
> 			echo -n "${subnet}:MASQUERADE "
> 		done
> 	else	
> 		for address in ${MAC_MASQ} ; do
> 			${IPTABLES} -t nat -A POSTROUTING -m mac --mac-source ${address} -o ${INET_IFACE} -j MASQUERADE
> 			echo -n "${address}:MASQUERADE "
> 		done
> 	fi
> 	echo
> fi
> 
> and includes the following output when manually started:
> 
> Local Traffic Rules: 192.168.0.0/24:ACCEPT 192.168.1.0/24:ACCEPT loopback:ACCEPT 
> Setting up masquerading: 192.168.0.0/24:MASQUERADE 192.168.1.0/24:MASQUERADE 
> 
> It's in /etc/init.d and marked executable, so I assume it's getting run at startup?

OK, forget that, I've been a plonker and my links to it in /etc/rc*.d were broken.  I always wondered why links I created were red-on-black and not light blue like the others!!  I guess that means I've been running unfirewalled for the last few weeks :-(

So the only problem left is the eth0/eth1 confusion at startup.  I've got round this by putting the following script in run level 2:

cp /etc/network/new_interfaces /etc/network/interfaces
/sbin/ifup eth1
cp /etc/network/old_interfaces /etc/network/interfaces

where new_interfaces is the interfaces file with eth1 included that won't work during bootup, and old_interfaces is the one with eth0 only that will.  Now the computer works as a firewall and router from bootup, so I'm somewhat happy (and bloody tired!!).

Thanks to all for the assistance,

Cheers - Dave