Mail archive
alpine-devel

Re: [alpine-devel] Packet forwarding doesn't work (or I'm a too stupid)

From: Jeff Bilyk <jbilyk_at_gmail.com>
Date: Sat, 7 Apr 2012 16:36:04 -0400

Hi,

Is /proc/sys/net/ipv4/ip_forward enabled?

Jeff

On Sat, Apr 7, 2012 at 4:32 PM, Der Tiger <der.tiger.alpine_at_arcor.de> wrote:
> Hi,
>
> I'm at a total loss. I've completely set up my Alpine based router, only to
> discover, it doesn't forward packets. This behaviour is verified on a
> physical machine and a VirtualBox machine with two NICs, each.
>
>   [PC 192.168.2.1]
>      |
>   [eth1:192.168.2.254 | Alpine | eth0:192.168.1.1]
>                                    |
>                              [Modem 192.168.1.254]
>
> I've:
>
> 1) booted the most recent Alpine ISO image and logged in as root
> 2) apk add iptables
> 3) ip link set up eth0
> 4) ip link set up eth1
> 5) ip address add 192.168.1.1/24 dev eth0
> 6) ip address add 192.168.2.254/24 dev eth1
> 7) ip route add default via 192.168.1.254 dev eth0
>
> which results in:
>
> ##>iptables -S
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> ##>iptables -t nat -S
> -P PREROUTING ACCEPT
> -P POSTROUTING ACCEPT
> -P OUTPUT ACCEPT
> ##>ip route show
> default via 192.168.1.254 dev eth0
> 192.168.2.0/24 dev eth1 src 192.168.2.254
> 192.168.1.0/24 dev eth0 src 192.168.1.1
>
> Whatever I try, I can't ping 192.168.1.254 (connected to eth0 of the router)
> from the pc 192.168.2.1 (connected to eth1 of the router). Pinging both, the
> pc and the modem, from the router works perfectly. The pc can, of course,
> ping the router at 192.168.2.254 and even the remote interface at
> 192.168.1.1, but not the modem at 192.168.1.254. Packet logging does neither
> show outgoing, nor incoming packets rejected or dropped.
>
> Later on, I've installed Privoxy, dhcpcd (for eth0), BIND and other daemons
> on the physical router. All traffic originating from the router, e.g. dhcpcd
> and BIND, adds to the packet count in the OUTPUT chain of iptables' filter
> table and reaches it's destination. All HTTP traffic passing through Privoxy
> adds to both, the INPUT and the OUTPUT chains, while HTTPS traffic cannot be
> digested by Privoxy and should therefore be bypassing Privoxy through the
> FORWARD chain. But while I'm sure the corresponding nat and filter rules are
> working, there are no packets registered passing through the FORWARD chain.
> Whatever protocol (HTTPS,FTP,POP3) is send, all packet counters remain zero
> and no connections are established. It looks like the packets are dropped,
> somewhere.
>
> My reference is another Linux router with 2.16.x kernel, where I extracted
> those long-term tested and optimized iptables rules from. I also made sure
> the same kernel modules are loaded on both routers. While the 2.16.x kernel
> router forwards packets as expected, the Alpine router does not.
>
> I've already spent days trying to figure out, what's wrong. Meanwhile I ran
> out of things to check, so I'd really appreciate if anybody would make any
> suggestions! The www search didn't yield results, either.
>
> Has anyone had any similar behaviour? Does packet forwarding generally work
> on all of your Alpine systems? Am I just totally off? 8-/
>
> Thanks for your help, Tiger
>
> ##>iptables-save
> # Generated by iptables-save v1.4.12.1 on Fri Apr  6 23:13:23 2012
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
> :fw-drp-log - [0:0]
> :fw-rej - [0:0]
> :fw-rej-fin - [0:0]
> :fw-rej-log - [0:0]
> :fw-www-acc - [0:0]
> :in-dhcpd - [0:0]
> :in-drp-log - [0:0]
> :in-icmp - [0:0]
> :in-rej - [0:0]
> :in-rej-fin - [0:0]
> :in-rej-log - [0:0]
> [0:0] -A INPUT -p icmp -m comment --comment ICMP -j in-icmp
> [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment
> "RELATED,ESTABLISHED" -j ACCEPT
> [0:0] -A INPUT -i lo -m comment --comment "Local Traffic" -j ACCEPT
> [0:0] -A INPUT -s 127.0.0.1/32 -m state --state NEW -m comment --comment
> "Local Traffic" -j DROP
> [0:0] -A INPUT -d 127.0.0.1/32 -m state --state NEW -m comment --comment
> "Local Traffic" -j DROP
> [0:0] -A INPUT -s 192.168.2.0/24 -m comment --comment "LAN Traffic" -j
> ACCEPT
> [0:0] -A INPUT -s 192.168.3.0/24 -m comment --comment "VoIP Traffic" -j
> ACCEPT
> [0:0] -A INPUT -p tcp -m tcp --dport 2222 -m comment --comment SSH -j ACCEPT
> [0:0] -A INPUT -i eth1 -p udp -m comment --comment DHCP -m udp --dport 67 -j
> ACCEPT
> [0:0] -A INPUT -s 192.168.1.254/32 -p udp -m udp --dport 5060 -m comment
> --comment "SIP from Modem" -j ACCEPT
> [0:0] -A INPUT -p udp -m udp --dport 17000:17031 -m comment --comment RTP -j
> ACCEPT
> [0:0] -A INPUT -j DROP
> [0:0] -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
> [0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment
> "RELATED,ESTABLISHED" -j ACCEPT
> [0:0] -A FORWARD -s 127.0.0.1/32 -m state --state NEW -m comment --comment
> "Drop Local Traffic" -j fw-drp-log
> [0:0] -A FORWARD -d 127.0.0.1/32 -m state --state NEW -m comment --comment
> "Drop Local Traffic" -j fw-drp-log
> [0:0] -A FORWARD -p tcp -m tcp --dport 139 -m comment --comment "Drop
> NETBIOS/Samba" -j DROP
> [0:0] -A FORWARD -p tcp -m tcp --dport 445 -m comment --comment "Drop
> NETBIOS/Samba" -j DROP
> [0:0] -A FORWARD -p udp -m udp --dport 137:138 -m comment --comment "Drop
> NETBIOS/Samba" -j DROP
> [0:0] -A FORWARD -p tcp -m tcp --dport 80 -m comment --comment "Reject
> unsoliceted HTTP" -j fw-rej-log
> [0:0] -A FORWARD -p udp -m udp --dport 53 -m comment --comment "Reject
> unsoliceted DNS" -j fw-rej-log
> [0:0] -A FORWARD -j fw-www-acc
> [0:0] -A FORWARD -j fw-rej-log
> [0:0] -A OUTPUT -o ppp0 -j ACCEPT
> [0:0] -A OUTPUT -o eth0 -j ACCEPT
> [0:0] -A OUTPUT -o eth1 -j ACCEPT
> [0:0] -A fw-drp-log -m limit --limit 1/sec --limit-burst 3 -j LOG
> --log-prefix "fw-forward-drop "
> [0:0] -A fw-drp-log -j DROP
> [0:0] -A fw-rej -p udp -m limit --limit 1/sec --limit-burst 3 -j fw-rej-fin
> [0:0] -A fw-rej ! -p udp -m limit --limit 1/sec --limit-burst 3 -j
> fw-rej-fin
> [0:0] -A fw-rej -j DROP
> [0:0] -A fw-rej-fin ! -p icmp -j REJECT --reject-with icmp-admin-prohibited
> [0:0] -A fw-rej-fin -j DROP
> [0:0] -A fw-rej-log -m limit --limit 1/sec --limit-burst 3 -j LOG
> --log-prefix "fw-forward-reject "
> [0:0] -A fw-rej-log -j fw-rej
> [0:0] -A fw-www-acc -s 192.168.2.128/25 -m comment --comment "Solicited LAN
> Outbound" -j ACCEPT
> [0:0] -A fw-www-acc -s 192.168.3.128/25 -m comment --comment "Solicited VoIP
> Outbound" -j ACCEPT
> [0:0] -A in-dhcpd -i eth1 -m comment --comment "Accept eth1" -j ACCEPT
> [0:0] -A in-dhcpd -j DROP
> [0:0] -A in-drp-log -m limit --limit 1/sec --limit-burst 3 -j LOG
> --log-prefix "fw-input-drop "
> [0:0] -A in-drp-log -j DROP
> [0:0] -A in-icmp -p icmp -m icmp --icmp-type 8 -m length --length 0:100 -m
> limit --limit 1/sec -m comment --comment "Ping Limit 1/sec" -j ACCEPT
> [0:0] -A in-icmp -m state --state RELATED -m comment --comment RELATED -j
> ACCEPT
> [0:0] -A in-rej -p udp -m limit --limit 1/sec --limit-burst 3 -j in-rej-fin
> [0:0] -A in-rej ! -p udp -m limit --limit 1/sec --limit-burst 3 -j
> in-rej-fin
> [0:0] -A in-rej -j DROP
> [0:0] -A in-rej-fin -p tcp -j REJECT --reject-with tcp-reset
> [0:0] -A in-rej-fin -p udp -j REJECT --reject-with icmp-port-unreachable
> [0:0] -A in-rej-fin ! -p icmp -j REJECT --reject-with icmp-proto-unreachable
> [0:0] -A in-rej-fin -j DROP
> [0:0] -A in-rej-log -m limit --limit 1/sec --limit-burst 3 -j LOG
> --log-prefix "fw-input-reject "
> [0:0] -A in-rej-log -j in-rej
> COMMIT
> # Completed on Fri Apr  6 23:13:23 2012
> # Generated by iptables-save v1.4.12.1 on Fri Apr  6 23:13:23 2012
> *nat
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :post-out-ovpn - [0:0]
> :pre-in-dns - [0:0]
> :pre-in-privoxy - [0:0]
> [0:0] -A PREROUTING -p udp -m comment --comment "DNS Redirect" -m udp
> --dport 53 -j pre-in-dns
> [0:0] -A PREROUTING -p tcp -m comment --comment "Privoxy Redirect" -m tcp
> --dport 80 -j pre-in-privoxy
> [0:0] -A POSTROUTING -s 192.168.0.0/16 -m comment --comment Masquerading -j
> MASQUERADE
> [0:0] -A pre-in-dns -s 192.168.0.0/16 -p udp -m comment --comment "Force DNS
> thru BIND" -j REDIRECT --to-ports 53
> [0:0] -A pre-in-privoxy -s 192.168.0.0/16 -p tcp -m comment --comment
> "Privoxy HTTP Redirect" -j REDIRECT --to-ports 8081
> COMMIT
> # Completed on Fri Apr  6 23:13:23 2012
> # Generated by iptables-save v1.4.12.1 on Fri Apr  6 23:13:23 2012
> *mangle
> :PREROUTING ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> COMMIT
> # Completed on Fri Apr  6 23:13:23 2012
>
> ##>lsmod
> Module                  Size  Used by    Not tainted
> iptable_mangle          1470  0
> ipt_REDIRECT            1133  2
> ipt_MASQUERADE          1576  1
> iptable_nat             3590  1
> nf_nat                 13271  3 ipt_REDIRECT,ipt_MASQUERADE,iptable_nat
> xt_length               1194  1
> ipt_REJECT              2087  4
> ipt_LOG                 6324  4
> xt_limit                1976  9
> xt_TCPMSS               3037  1
> xt_tcpudp               2301 12
> nf_conntrack_ipv4      10348 10 iptable_nat,nf_nat
> nf_defrag_ipv4          1305  1 nf_conntrack_ipv4
> xt_state                1197  7
> nf_conntrack           51077  5
> ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state
> xt_comment               945 29
> iptable_filter          1398  1
> ip_tables              18588  3 iptable_mangle,iptable_nat,iptable_filter
> x_tables               15642 14
> iptable_mangle,ipt_REDIRECT,ipt_MASQUERADE,iptable_nat,xt_length,ipt_REJECT,ipt_LOG,xt_limit,xt_TCPMSS,xt_tcpudp,xt_state,xt_comment,iptable_filter,ip_tables
> pppoe                   9200  0
> pppox                   1680  1 pppoe
> ppp_generic            22543  2 pppoe,pppox
> slhc                    3905  1 ppp_generic
> ipv6                  274324 26
> af_packet              20808  2
> evdev                  10176  7
> usbhid                 15727  0
> hid                    72924  1 usbhid
> usbkbd                  4222  0
> serio_raw               3824  0
> psmouse                33674  0
> pcspkr                  1761  0
> i2c_i801                7356  0
> i2c_core               16104  1 i2c_i801
> snd_hda_codec_realtek   273890  1
> snd_hda_intel          18741  0
> snd_hda_codec          55393  2 snd_hda_codec_realtek,snd_hda_intel
> snd_hwdep               5900  1 snd_hda_codec
> snd_pcm                61650  2 snd_hda_intel,snd_hda_codec
> snd_timer              18580  1 snd_pcm
> snd                    53957  6
> snd_hda_codec_realtek,snd_hda_intel,snd_hda_codec,snd_hwdep,snd_pcm,snd_timer
> soundcore               4489  1 snd
> snd_page_alloc          6391  2 snd_hda_intel,snd_pcm
> shpchp                 22100  0
> pci_hotplug            20196  1 shpchp
> iTCO_wdt               12227  0
> iTCO_vendor_support     1778  1 iTCO_wdt
> e1000e                118081  0
> r8169                  34717  0
> firmware_class          5345  1 r8169
> mii                     3339  1 r8169
> video                  10919  0
> backlight               3814  1 video
> button                  4332  0
> processor              23414  0
> ehci_hcd               32356  0
> uhci_hcd               18888  0
> ahci                   20207  0
> libahci                16233  1 ahci
> libata                146299  2 ahci,libahci
> loop                   14314  0
> ext4                  226545  2
> mbcache                 4595  1 ext4
> jbd2                   46759  1 ext4
> crc16                   1247  1 ext4
> usb_storage            32709  2
> usb_libusual           10254  1 usb_storage
> usbcore               121728  7
> usbhid,usbkbd,ehci_hcd,uhci_hcd,usb_storage,usb_libusual
> sd_mod                 23519  3
> scsi_mod               84453  3 libata,usb_storage,sd_mod
>
> ##>ip6tables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>



-- 
Jeff
---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Sat Apr 07 2012 - 16:36:04 UTC