You are not logged in.

#1 2015-10-22 21:41:08

ayekat
Member
From: UTC+2
Registered: 2011-01-17
Posts: 1,075
Website

[SOLVED?] IP packet forwarding, netfilter issues

Today, I was using linux 4.2.3-1, and I had the following setup:

  • My machine (the "host"), connected to the internet via WiFi, wlp3s0

  • Another machine (the "guest") connected to the host via ethernet, on the host's enp0s25

I wanted to masquerade packets for the guest, and I had this in the host's iptables:

~ $ sudo iptables -vL
Chain INPUT (policy ACCEPT 28 packets, 3592 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 29 packets, 1998 bytes)
 pkts bytes target     prot opt in     out     source               destination         
~ $ sudo iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 38 packets, 5892 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 15 packets, 3960 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 254 packets, 16832 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  255 16916 MASQUERADE  all  --  any    wlp3s0  anywhere             anywhere            

IP packet forwarding was enabled on the host (via config in /etc/sysctl.d):

~ $ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

However, when I pinged something (e.g. 8.8.8.8) from the guest, I saw via tcpdump that packets entered the host machine (via ethernet), but did not quit the host machine on the WiFi side.

Then, via sysctl I disabled and re-enabled IP packet forwarding, and the packets were then properly forwarded to the WiFi interface - HOWEVER their IP address was not masqueraded (i.e. they had the network-internal IP address as source address), and obviously there was no ICMP response.

I thought all of this was weird, so I installed the current linux-lts package (4.1.10-2) and booted into that.
As before, IP packet forwarding was enabled on the host (via config in /etc/sysctl.d), but packets were not forwarded, so I re-enabled it, and packet forwarding worked. Weird.
Then, I applied the iptables setup as above, and packets were masqueraded correctly. Everything fine there.

Question

Why would the value of net.ipv4.ip_forward need to be reapplied after a boot? Is there something I am missing? It behaves like this for both the LTS kernel and the current one. And I'm pretty sure IP forwarding still worked correctly a few weeks back.

Also, what bothers me is that iptables would not masquerade the packets correctly with the current kernel, whereas it does on the LTS kernel. Is this a bug, or am I the only one experiencing this?

With nftables, the behaviour is exactly the same.

Last edited by ayekat (2015-10-23 09:01:19)


Quotes found on the Internet can be hard to verify. — Abraham Lincoln
Let's strap some XDG and FHS onto our dotfiles, shall we?

Offline

#2 2015-10-23 01:05:00

branch
Member
Registered: 2014-03-16
Posts: 196

Re: [SOLVED?] IP packet forwarding, netfilter issues

ayekat wrote:

Question

Why would the value of net.ipv4.ip_forward need to be reapplied after a boot? Is there something I am missing? It behaves like this for both the LTS kernel and the current one. And I'm pretty sure IP forwarding still worked correctly a few weeks back.

Are you using systemd-networkd? If so, did you set "IPForward=yes" in the .network files for each interface? Unfortunately systemd-networkd will override the sysctl setting if this is not set.

Offline

#3 2015-10-23 09:01:02

ayekat
Member
From: UTC+2
Registered: 2011-01-17
Posts: 1,075
Website

Re: [SOLVED?] IP packet forwarding, netfilter issues

Indeed, I switched to configuring my network through systemd-networkd about 10 days ago, and it turns out that systemd-networkd sets the value for net.ipv4.conf.<interface>.forwarding to 0 if not explicitly specified (so IP forwarding, although enabled globally, was disabled on a per-interface basis - my facepalm moment). Now IP forwarding works correctly. Thanks a lot!

Also, since I was reading up on IP forwarding and masquerading by systemd, I have enabled the `IPMasquerading` option in the corresponding interface configuration, and it works fine, too. As such, I mark the problem as solved.

However, I'm still a little confused about why iptables would not correctly masquerade packets with the new kernel, whereas it works correctly on the LTS kernel...


Quotes found on the Internet can be hard to verify. — Abraham Lincoln
Let's strap some XDG and FHS onto our dotfiles, shall we?

Offline

Board footer

Powered by FluxBB