Understanding IP forwarding

Rashkae ubuntu at tigershaunt.com
Fri Aug 3 15:35:29 UTC 2012 

On 08/03/2012 09:08 AM, Graham Butler wrote:
> I have a duel NIC server (Ubuntu 12.04) connected to two different subnets and I am trying to understand a possible ip forwarding problem I have. I would appreciate a nudge in the right direction.
>
> If I ping the first interface (161.112.232.221) from another server, not on the same subnet as second interface, I get a reply i.e. the ping and reply are on the same interface.
>
> If I ping the second interface (172.17.193.146) from another server on its own subnet (say 172.17.193.62), I get a reply. Once again the ping and the reply are on the same sub net.
>
> The problem is when a ping is received on one interface, and the reply wants to go down the other interface, it all fails. On a failed request, I can see the traffic coming in on one interface (using tcpdump), but I cannot see any replies on either interface. From my experience with Solaris,  if 'IP forwarding' is enabled, it allows a reply on another interface. I am very new to Ubuntu.
>
> Can I assume from this that setting ip_forward in Ubuntu to allow communication between the two interfaces is not sufficient, and that I may have to use iptables?
>
> The server is not intended to be a router as such, but a development server for testing as a transparent proxy server. I have not got to the transparent proxy bit yet, as I am still trying to understand this problem.
>
> ~# netstat -r
> Kernel IP routing table
> Destination     Gateway             Genmask           Flags   MSS Window  irtt Iface
> default             161.112.232.99  0.0.0.0               UG       0 0          0 eth0
> localnet            *                          255.255.255.0   U         0 0          0 eth0
> 172.17.193.0    *                         255.255.255.0   U         0 0          0 eth1
>
> ip_forward is set to 1 and UFW is disabled.
>
> Graham
>
>
>
>
> ---
> This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.
>

You might be running into issues with the Kernel IP Spoofing detection.

Verify (and change) that /proc/sys/net/ipv4/conf/all/rp_filter is 0 (and 
not 1) and try the test again.

More information about the ubuntu-users mailing list