Hi all,
I’m a little desperate with the configuration of an OpenSuse 15.4 machine in the local lab. The system is equipped with two ethernet ports, one of which (eth0) is connected to the in-house network, the other one (eth1) to an isolated local network in the lab - only that it isn’t really isolated, because the host always comes up with
/proc/sys/net/ipv4/ip_forward = 1
so traffic from the local network may be routed to the outside world, which is not intended. After searching different resources, I’ve finally started editing /etc/sysctl.conf, only to discover that my configuration attempts using YasT had already created a file /etc/sysctl.d/70-yast.conf containing
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.disable_ipv6 = 1
which should do the job. However, after each reboot, forwarding is again active and must be disabled manually. Some system service seems to modify the setting, but I’ve so far failed to pinpoint it. Sending the system to single-user-console mode and back to graphical login by
init 1; sleep 90; init 5 &
reenables forwarding, but none of the suspected services (e.g. dhcpd, avahi, virtualbox, wicked) seems to be responsible, as restarting them manually does not turn forwarding on. Searching the OS installation for ip_forward also does not reveal any suspicious candidates, so I am currently at loss here.
Any further suggestions for locating the culprit are welcome!
Btw, same behaviour in OpenSuse 15.3 before system update.
Thanks,
Ulrich
Is firewall active?
systemctl status firewalld.service
systemctl stop firewalld.service
There are 2 references to IP Forwarding in the openSUSE documentation:
The Security manual points out:
A node should not send out IPv4 ICMP redirects, unless it acts as a router.
IP forwarding should only be enabled on systems acting as routers.
Thanks a lot, arvidjaar! - that’s indeed the source of the problem:
pc20:# sysctl -w net.ipv4.ip_forward=0
net.ipv4.ip_forward = 0
pc20:# systemctl restart firewalld.service
pc20:# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Lesson learned: never make any assumptions - I’d never thought that the firewall that is supposed shut out traffic actually helps forwarding it! Will now try to figure out which setting is responsible and post the information here.
Thanks again, you’ve saved my day!
Ulrich
Firewalld explicitly enables ip_forward
if there are masquerading or port forwarding rules as otherwise those rules simply won’t work. Firewalld will block any attempt to forward between interfaces in different zones by default.
Yes, I’ve figured that out shortly after our exchange before I had to leave yesterday
In my case eth0 was in the external zone with masquerading enabled and eth1 (lab network) was in the internal zone without masquerading. The YaST configuration module does not support adjusting this parameter, so had to use the firewall-config tool. Subsequently I found the relevant configuration file /etc/firewalld/zones/external.xml
Interestingly, most documentation (as suggested by dcurtisfra) describes how to set up a router, and there are far fewer tipps, how to not route between two networks. I wonder how I came to activate masquerading in the first place, can’t remember of doing so.
Thanks again for all support here, I am somewhat overwhelmed by the speed in which suggestions appeared yesterday.
Ulrich