2014-04-04

Set up Linux box as a router

Ingredients:
  1. one Linux box with multiple Ethernet interfaces
  2. at least two networks with segments assigned
  3. a desire to make the Linux box route packets between the networks



A quick little blog post with info obtained by pestering my more knowledgeable colleagues.

Forwarding


Although the Linux kernel is capable of routing packets, by default it is not configured to do so. There are two dimensions to accomplishing this:
  1. telling the kernel to forward packets (IPv4, IPv6)
  2. telling the operating system to tell the kernel to forward packets

The second step is necessary because, without it, the kernel will revert to its default "non-routing" behavior at the next boot.

Tell the kernel to route packets


There are lots of HOWTOs on this. For example, Marius Ducea has a nice one.

There is more to it than just one sysctl parameter, though. On my router I am setting all of these:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1

Make the settings survive reboot


On SUSE there are several factors that must be taken into account. First of all, there is /etc/sysctl.conf, where I have the above lines. This just by itself is not enough, however, because there is another crucial file . . .

The other file is /etc/sysconfig/sysctl, where I set the following parameters:
IP_FORWARD="yes"
IPV6_DISABLE="no"
IPV6_FORWARD="yes"

If, for example, the IP_FORWARD parameter is set to "no", the settings in /etc/sysctl.conf will effectively be ignored, because /etc/init.d/boot.sysctl runs before /etc/init.d/boot.ipconfig

For completeness, there is also /etc/sysconfig/network/ifsysctl for interface-specific sysctl settings. See man ifsysctl for details.

Myth debunking


Many sources write about using iptables to route packets. This may have been necessary in the olden days, but ever since the advent of iproute2, it is not necessary or even desirable to use iptables (i.e. the userspace interface to netfilter) for static routing.

Simply put: iptables is for filtering packets, while iproute2 is for routing packets.

The ip command is still a bit new, so it's good to remind myself that it replaces older commands, like ifconfig, route), and brctl, that are now deprecated (though still present in all major Linux distributions for backward compatibility) and have been obsoleted by iproute2.
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)