What is kernel ip forwarding?

19 篇文章 0 订阅
8 篇文章 0 订阅

轉載自https://unix.stackexchange.com/questions/14056/what-is-kernel-ip-forwarding

 

Q:

I have seen on many blogs, using this command to enable IP forwarding while using many network security/sniffing tools on linux

echo 1 > /proc/sys/net/ipv4/ip_forward

Can anyone explain me in layman terms, what essentially does this command do? Does it turn your system into router?

 

 

A:

"IP forwarding" is a synonym for "routing." It is called "kernel IP forwarding" because it is a feature of the Linux kernel.

A router has multiple network interfaces. If traffic comes in on one interface that matches a subnet of another network interface, a router then forwards that traffic to the other network interface.

So, let's say you have two NICs, one (NIC 1) is at address 192.168.2.1/24, and the other (NIC 2) is 192.168.3.1/24. If forwarding is enabled, and a packet comes in on NIC 1 with a "destination address" of 192.168.3.8, the router will resend that packet out of the NIC 2.

It's common for routers functioning as gateways to the Internet to have a default route whereby any traffic that doesn't match any NICs will go through the default route's NIC. So in the above example, if you have an internet connection on NIC 2, you'd set NIC 2 as your default route and then any traffic coming in from NIC 1 that isn't destined for something on 192.168.2.0/24 will go through NIC 2. Hopefully there's other routers past NIC 2 that can further route it (in the case of the Internet, the next hop would be your ISP's router, and then their providers upstream router, etc.)

Enabling ip_forward tells your Linux system to do this. For it to be meaningful, you need two network interfaces (any 2 or more of wired NIC cards, Wifi cards or chipsets, PPP links over a 56k modem or serial, etc.).

When doing routing, security is important and that's where Linux's packet filter, iptables, gets involved. So you will need an iptables configuration consistent with your needs.

Note that enabling forwarding with iptables disabled and/or without taking firewalling and security into account could leave you open to vulnerabilites if one of the NICs is facing the Internet or a subnet you don't have control over.


Right, you'll want to do NAT if NIC 2 is a private IP. Linux can do NAT as well and iptables is the way to set it up. – LawrenceC Jul 13 '14 at 23:22

Does it need a NAT for data going from NIC 2 to NIC 1? – GutenYe Jul 14 '14 at 0:12 


Typically NAT will work from the LAN to the WAN, so if NIC 2 has a private IP, and NIC 1 has a public 1, you do need NAT; specifically, the internet-facing interface (NIC 1 per above) needs a MASQUERADE rule in iptables's POSTROUTING on a chain to do that. See revsys.com/writings/quicktips/nat.html and i.stack.imgur.com/rzz83.png. – LawrenceC Jul 16 '14 at 11:14

 

In simple words, will it be right if I say that enabling IP forwarding means enabling the machine to pass a packet from one of its NIC to another of its NIC? Also, would it be true if I say enabling IP forwarding is not really required on a machine with a single IP/NIC ? – Sree Nov 21 '14 at 6:37

 

@Sree: Yes, but it won't do NAT - you need iptables for that. If you don't want to route/forward packets, don't enable forwarding. It's unlikely a single IP/NIC system needs it enabled unless you are doing something weird with VPNs. – LawrenceC Nov 21 '14 at 13:45

 


 



 


@ultrasawblade In the case of IP forwarding enabled and having internet connection on NIC 2 and also as the default route, if it receives a packet destined for 192.168.2.2 from NIC 1, what will the router do? – bobo May 14 '15 at 5:30 

 

Your NIC can actually receive all traffic on the subnet by design - if you have it connected to a hub, not a switch. It won't forward it out of the default gateway since it has a direct connection to that network 192.168.2.0/24 already. So I believe it will drop it. – LawrenceC






 

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 1
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值