How to enable IP forwarding?

Hi,

First of all, enable IP forwarding between interfaces. The clean and elegant way to do it is editing /etc/sysctl.conf and adding/modiying the line:

net.ipv4.ip_forward=1

and running sysctl -p

Quick and dirty way is:

echo 1 > /proc/sys/net/ipv4/ip_forward

That should do it if you want routing between 2 different interfaces, say eth0 and eth1.

Now let's consider eth0 as an interface on net0 and eth1 on net1.

As far as I understood, you want to forward traffic to an IP address on net0 to a network reachable through net1. For doing that you must enable "Proxy ARP" on the interface where you want to route _from_.

Issue the following command:
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

And/or edit the sysctl.conf file and add:

net.ipv4.conf.eth0.proxy_arp=1

Now, route the "fake" address on net0 to the destination interface where the "actual" IP address can be reached.

route add -host <fake_IP_address> dev eth1

being eth1 the interface where the actual IP is.

Now, if you try to ping "fake address" and capture the traffic on eth0 and eth1 you'll get the following results:

eth0:
* source: source IP
* dest: fake IP
eth1:
* source source IP
* dest: fake IP

And the ping will fail due to the fake IP does not exist, but you've managed to force routing between interfaces. Here is where iptables comes in.

iptables NAT capabilities will translate fake IP to actual IP.

First of all, make these concepts crystal clear:

* PREROUTING chain: translations applied BEFORE routing decission, so DESTINATION ADDRESSES will be translated
* POSTROUTNG chain: translations applied AFTER router decission, so SOURCE ADDRESSES will be translated.
* And the most important of all: "Traffic has 2 directions, outgoing and incomming"

So, when you request "fake address", you have to translate the destination address of the fake IP:

iptables -t nat -A PREROUTING -i eth0 -d <fake ip address> -j DNAT --todest <actual IP address>

And you'll have the "actual IP" responds, you'll have to translate the SOURCE address of the response to the "fake" one:

iptables -t nat -A POSTROUTING -o eth0 -s <actual ip address> -j SNAT --to-source <fake IP address>

Of course you'll have to arrange the iptables commands to your iptables rules and chains, but it should do it. And don't forget to issue a 'service iptables save' to save the iptables settings between reboots.

Now, if you try to ping "fake address" and capture the traffic on eth0 and eth1 you'll get the following results:

eth0 (ping-request):
* source: source IP
* dest: fake IP
eth1 (ping-request):
* source: source IP
* dest: actual IP

eth1 (ping-reply):
* source: actual IP
* dest: ping-request originator
eth0 (ping-reply):
* source: fake IP
* dest: ping-request originator

Hope it helps and good luck,
Javier

Hello Javier,
                    Thanks for all the information. It was quick and a good one. However, here I have two Ip addresses in different VLANs with each VLAN assigned a particular block of IP addresses. How can I then use IPTables for forwarding IP from 1st VLAN to the IP address in the second VLAN?

Regards

Nitesh N
QualiSpace