Closed issues:

#1: iptables' state module is obsolete #2: Set /proc/sys/net/ipv4/ip_forward = 1
drsound · Mar 15, 2015 · 80ef8a7 · 80ef8a7
1 parent f924ca3
commit 80ef8a7
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -143,11 +143,11 @@ Documentation is included as comments in the output, here is a dump using the st
 #    --sport, etc.
 
 #Example Provider 1
-#[0:0] -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark 1
+#[0:0] -A PREROUTING -i eth0 -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark 1
 #Example Provider 2
-#[0:0] -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark 2
+#[0:0] -A PREROUTING -i eth0 -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark 2
 #Example Provider 3
-#[0:0] -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark 3
+#[0:0] -A PREROUTING -i eth0 -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark 3
 
 #Mark packets with the outgoing interface:
 #
@@ -165,21 +165,21 @@ Documentation is included as comments in the output, here is a dump using the st
 #New inbound connections: mark the connection with the incoming interface.
 
 #Example Provider 1
-[0:0] -A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-mark 1
+[0:0] -A PREROUTING -i eth1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
 #Example Provider 2
-[0:0] -A PREROUTING -i eth2 -m state --state NEW -j CONNMARK --set-mark 2
+[0:0] -A PREROUTING -i eth2 -m conntrack --ctstate NEW -j CONNMARK --set-mark 2
 #Example Provider 3
-[0:0] -A PREROUTING -i eth3 -m state --state NEW -j CONNMARK --set-mark 3
+[0:0] -A PREROUTING -i eth3 -m conntrack --ctstate NEW -j CONNMARK --set-mark 3
 
 #New outbound connections: mark the connection with the outgoing interface
 #(chosen by the multipath routing).
 
 #Example Provider 1
-[0:0] -A POSTROUTING -o eth1 -m state --state NEW -j CONNMARK --set-mark 1
+[0:0] -A POSTROUTING -o eth1 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1
 #Example Provider 2
-[0:0] -A POSTROUTING -o eth2 -m state --state NEW -j CONNMARK --set-mark 2
+[0:0] -A POSTROUTING -o eth2 -m conntrack --ctstate NEW -j CONNMARK --set-mark 2
 #Example Provider 3
-[0:0] -A POSTROUTING -o eth3 -m state --state NEW -j CONNMARK --set-mark 3
+[0:0] -A POSTROUTING -o eth3 -m conntrack --ctstate NEW -j CONNMARK --set-mark 3
 
 COMMIT
 
@@ -245,9 +245,9 @@ COMMIT
 #This is just a very basic example, add your own rules for the INPUT chain.
 
 [0:0] -A INPUT -i lo -j ACCEPT
-[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 [0:0] -A FORWARD -i eth0 -o eth1 -j LAN_WAN
 [0:0] -A FORWARD -i eth0 -o eth2 -j LAN_WAN

diff --git a/lib/fault_tolerant_router/generate_iptables.rb b/lib/fault_tolerant_router/generate_iptables.rb
@@ -23,8 +23,8 @@ def generate_iptables
 END
   UPLINKS.each_with_index do |uplink, i|
     puts "##{uplink[:description]}"
-    puts "#[0:0] -A PREROUTING -i #{LAN_INTERFACE} -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark #{BASE_FWMARK + i}"
-    puts "#[0:0] -A PREROUTING -i #{DMZ_INTERFACE} -m state --state NEW -p tcp --dport XXX -j CONNMARK --set-mark #{BASE_FWMARK + i}" if DMZ_INTERFACE
+    puts "#[0:0] -A PREROUTING -i #{LAN_INTERFACE} -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark #{BASE_FWMARK + i}"
+    puts "#[0:0] -A PREROUTING -i #{DMZ_INTERFACE} -m conntrack --ctstate NEW -p tcp --dport XXX -j CONNMARK --set-mark #{BASE_FWMARK + i}" if DMZ_INTERFACE
   end
   puts <<END
 
@@ -49,7 +49,7 @@ def generate_iptables
 END
   UPLINKS.each_with_index do |uplink, i|
     puts "##{uplink[:description]}"
-    puts "[0:0] -A PREROUTING -i #{uplink[:interface]} -m state --state NEW -j CONNMARK --set-mark #{BASE_FWMARK + i}"
+    puts "[0:0] -A PREROUTING -i #{uplink[:interface]} -m conntrack --ctstate NEW -j CONNMARK --set-mark #{BASE_FWMARK + i}"
   end
   puts <<END
 
@@ -59,7 +59,7 @@ def generate_iptables
 END
   UPLINKS.each_with_index do |uplink, i|
     puts "##{uplink[:description]}"
-    puts "[0:0] -A POSTROUTING -o #{uplink[:interface]} -m state --state NEW -j CONNMARK --set-mark #{BASE_FWMARK + i}"
+    puts "[0:0] -A POSTROUTING -o #{uplink[:interface]} -m conntrack --ctstate NEW -j CONNMARK --set-mark #{BASE_FWMARK + i}"
   end
   puts <<END
 
@@ -135,9 +135,9 @@ def generate_iptables
 #This is just a very basic example, add your own rules for the INPUT chain.
 
 [0:0] -A INPUT -i lo -j ACCEPT
-[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
-[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 
 END
   UPLINKS.each do |uplink|

diff --git a/lib/fault_tolerant_router/monitor.rb b/lib/fault_tolerant_router/monitor.rb
@@ -62,6 +62,9 @@ def monitor
     command "ip route del table #{BASE_TABLE + i} &> /dev/null"
   end
 
+  #enable IP forwarding
+  command 'echo 1 > /proc/sys/net/ipv4/ip_forward'
+
   #disable "reverse path filtering" on the uplink interfaces
   command 'echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
   UPLINKS.each do |uplink|

diff --git a/lib/fault_tolerant_router/version.rb b/lib/fault_tolerant_router/version.rb
@@ -1,3 +1,3 @@
 module FaultTolerantRouter
-  VERSION = '1.0.0'
+  VERSION = '1.0.1'
 end