Marco Colombo wrote:
Exactly. Plus, I believe you'll find that sysctl is called in /etc/init.d/network.On Thu, 8 Jul 2004, Peter Marshall wrote:
Hey guys, I know this sounds stupid, but I can not seem to get the value of /proc/sys/net/ipv4/ip_forward to be 1 after boot. I tried putting the echo 1 > /pro...../ip_forward in my iptables script .... (BTW, I have a bash script with my rules in it and a startup script in rc2.d that calls it)
I also tried making a separate starup script just for the ip_forward and set it to run in as the last thing in rc2,d .....
If anyone has any suggestions, I would greatly appreciate it.
Thanks. Peter
That depends on the distro you're running. On Red Hat / Fedora distros, add (or change) the following line to /etc/sysctl.conf:
net.ipv4.ip_forward = 1
The echo you're using should work, just make sure nothing else (i.e. sysctl) resets it to 0 later at boot time (but on RH and Fedora, sysctl -p occurs in rc.sysinit, so before any rc.[2345] script).
As an alternative to the echo approach, you can use the sysctl command directly in your script. My iptables scripts start with:
sysctl -w net.ipv4.ip_forward=0
and end with:
sysctl -w net.ipv4.ip_forward=1
so that forwarding is disabled while the scripts are messing with rules: I tend to use the scripts at runtime now and then, disabling forwarding is just safer.
.TM.
As recommended, I tend to set the /etc/sysctl.conf setting to 0. While I am there, I also disable redirects and source routing. I then enable forwarding with the echo command (for platform independence) in my scripts after all the security scripts have successfully run. This way, if one of the iptables or *swan scripts fails, I fail safe and the gateway does not forward - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@xxxxxxxxxxxxx
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
