CentOS 7 as NAT Gateway for Private Network lufy December 25, 2017 <p>Original site: <a href="http://blog.redbranch.net/2015/07/30/centos-7-as-nat-gateway-for-private-network/" target="_blank">http://blog.redbranch.net/2015/07/30/centos-7-as-nat-gateway-for-private-network/</a></p> <p>The scenario is a small private network connected via a switch and using 192.168.0.* addresses. One of the machines (let’s call it RTR001) on the network has two network interface cards. One with an address on the 192.168.0.* network and another providing wider network (& internet) access on a 123.111.123.* network. This machine (RTR001) will take traffic from the private network 192.168.0.* and route it out via its other interface to the internet etc.</p> <p>So the router machine (RTR001) has the following interfaces and IP addresses:</p> <div> </div> <ul> <li><span style="font-family: 'courier new', courier;">eth0 123.111.0.1</span></li> <li><span style="font-family: 'courier new', courier;">eth1 192.168.0.1</span></li> </ul> <p>Configure the kernel to forward IP packets:</p> <div id="crayon-5a40613195052599083505" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a40613195052599083505-1"><span style="font-family: 'courier new', courier;">1</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a40613195052599083505-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-o">/</span><span class="crayon-v">etc</span><span class="crayon-o">/</span><span class="crayon-v">sysctl</span><span class="crayon-sy">.</span><span class="crayon-v">conf</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p> </p> <div id="crayon-5a40613195087426021244" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums" data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a40613195087426021244-1"><span style="font-family: 'courier new', courier;">1</span></div> <div class="crayon-num crayon-striped-num" data-line="crayon-5a40613195087426021244-2"><span style="font-family: 'courier new', courier;">2</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a40613195087426021244-1" class="crayon-line"><span class="crayon-p" style="font-family: 'courier new', courier;"># Controls IP packet forwarding</span></div> <div id="crayon-5a40613195087426021244-2" class="crayon-line crayon-striped-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">net</span><span class="crayon-sy">.</span><span class="crayon-v">ipv4</span><span class="crayon-sy">.</span><span class="crayon-v">ip_forward</span><span class="crayon-o">=</span><span class="crayon-cn">1</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p>To avoid rebooting implement the same change dynamically:</p> <div id="crayon-5a40613195099399534764" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums" data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a40613195099399534764-1"><span style="font-family: 'courier new', courier;">1</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a40613195099399534764-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">sysctl</span><span class="crayon-o">-</span><span class="crayon-i">w</span><span class="crayon-v">net</span><span class="crayon-sy">.</span><span class="crayon-v">ipv4</span><span class="crayon-sy">.</span><span class="crayon-v">ip_forward</span><span class="crayon-o">=</span><span class="crayon-cn">1</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p>On CentOS 7, after configuring both network interfaces, we need to use firewalld:</p> <div id="crayon-5a406131950a8239712779" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a406131950a8239712779-1"><span style="font-family: 'courier new', courier;">1</span></div> <div class="crayon-num crayon-striped-num" data-line="crayon-5a406131950a8239712779-2"><span style="font-family: 'courier new', courier;">2</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a406131950a8239712779-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">external </span><span class="crayon-o">--</span><span class="crayon-v">add</span><span class="crayon-o">-</span><span class="crayon-t">interface</span><span class="crayon-o">=</span><span class="crayon-v">eth0 </span><span class="crayon-o">--</span><span class="crayon-e">permanent</span></span></div> <div id="crayon-5a406131950a8239712779-2" class="crayon-line crayon-striped-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">internal </span><span class="crayon-o">--</span><span class="crayon-v">add</span><span class="crayon-o">-</span><span class="crayon-t">interface</span><span class="crayon-o">=</span><span class="crayon-v">eth1 </span><span class="crayon-o">--</span><span class="crayon-v">permanent</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p>After making changes reload with:</p> <div id="crayon-5a406131950b8467634178" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums" data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a406131950b8467634178-1"><span style="font-family: 'courier new', courier;">1</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a406131950b8467634178-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">complete</span><span class="crayon-o">-</span><span class="crayon-v">reload</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p>Check the settings to ensure your interfaces are listed in the correct zone:</p> <div id="crayon-5a406131950c7260583509" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums" data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a406131950c7260583509-1"><span style="font-family: 'courier new', courier;">1</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a406131950c7260583509-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">list</span><span class="crayon-o">-</span><span class="crayon-v">all</span><span class="crayon-o">-</span><span class="crayon-v">zones</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p>If you have made a mistake you can remove the interface from the zone with:</p> <div id="crayon-5a406131950d6381609591" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums" data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a406131950d6381609591-1"><span style="font-family: 'courier new', courier;">1</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a406131950d6381609591-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">internal </span><span class="crayon-o">--</span><span class="crayon-v">remove</span><span class="crayon-o">-</span><span class="crayon-t">interface</span><span class="crayon-o">=</span><span class="crayon-v">eth0</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p>Configure masquerading on the externally facing device (eth0):</p> <div id="crayon-5a406131950e5863777983" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums" data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a406131950e5863777983-1"><span style="font-family: 'courier new', courier;">1</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a406131950e5863777983-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">external </span><span class="crayon-o">--</span><span class="crayon-v">add</span><span class="crayon-o">-</span><span class="crayon-v">masquerade </span><span class="crayon-o">--</span><span class="crayon-v">permanent</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p>Now the NAT rule (see comments – this may not be required):</p> <div id="crayon-5a406131950f4224595501" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a406131950f4224595501-1"><span style="font-family: 'courier new', courier;">1</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a406131950f4224595501-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">permanent </span><span class="crayon-o">--</span><span class="crayon-v">direct </span><span class="crayon-o">--</span><span class="crayon-e">passthrough </span><span class="crayon-v">ipv4 </span><span class="crayon-o">-</span><span class="crayon-i">t </span><span class="crayon-v">nat </span><span class="crayon-o">-</span><span class="crayon-i">I </span><span class="crayon-v">POSTROUTING </span><span class="crayon-o">-</span><span class="crayon-i">o </span><span class="crayon-v">eth0 </span><span class="crayon-o">-</span><span class="crayon-i">j </span><span class="crayon-v">MASQUERADE </span><span class="crayon-o">-</span><span class="crayon-i">s </span><span class="crayon-cn">192.168.0.0</span><span class="crayon-o">/</span><span class="crayon-cn">24</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p>I was running DNS, DHCP, pxe and several other services from my RTR001 machine to service the internal computers so I opened those ports with:</p> <div id="crayon-5a40613195103828902881" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums " data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a40613195103828902881-1"><span style="font-family: 'courier new', courier;">1</span></div> <div class="crayon-num crayon-striped-num" data-line="crayon-5a40613195103828902881-2"><span style="font-family: 'courier new', courier;">2</span></div> <div class="crayon-num" data-line="crayon-5a40613195103828902881-3"><span style="font-family: 'courier new', courier;">3</span></div> <div class="crayon-num crayon-striped-num" data-line="crayon-5a40613195103828902881-4"><span style="font-family: 'courier new', courier;">4</span></div> <div class="crayon-num" data-line="crayon-5a40613195103828902881-5"><span style="font-family: 'courier new', courier;">5</span></div> <div class="crayon-num crayon-striped-num" data-line="crayon-5a40613195103828902881-6"><span style="font-family: 'courier new', courier;">6</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a40613195103828902881-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">permanent </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">internal </span><span class="crayon-o">--</span><span class="crayon-v">add</span><span class="crayon-o">-</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-e">dhcp</span></span></div> <div id="crayon-5a40613195103828902881-2" class="crayon-line crayon-striped-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">permanent </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">internal </span><span class="crayon-o">--</span><span class="crayon-v">add</span><span class="crayon-o">-</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-e">tftp</span></span></div> <div id="crayon-5a40613195103828902881-3" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">permanent </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">internal </span><span class="crayon-o">--</span><span class="crayon-v">add</span><span class="crayon-o">-</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-e">dns</span></span></div> <div id="crayon-5a40613195103828902881-4" class="crayon-line crayon-striped-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">permanent </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">internal </span><span class="crayon-o">--</span><span class="crayon-v">add</span><span class="crayon-o">-</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-e">http</span></span></div> <div id="crayon-5a40613195103828902881-5" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">permanent </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">internal </span><span class="crayon-o">--</span><span class="crayon-v">add</span><span class="crayon-o">-</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-e">nfs</span></span></div> <div id="crayon-5a40613195103828902881-6" class="crayon-line crayon-striped-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">permanent </span><span class="crayon-o">--</span><span class="crayon-v">zone</span><span class="crayon-o">=</span><span class="crayon-v">internal </span><span class="crayon-o">--</span><span class="crayon-v">add</span><span class="crayon-o">-</span><span class="crayon-v">service</span><span class="crayon-o">=</span><span class="crayon-v">ssh</span></span></div> </div> </td> </tr> </tbody> </table> </div> </div> <p>Reload the firewall rules and test pings from the internal machines:</p> <div id="crayon-5a40613195113132543345" class="crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover"> <div class="crayon-plain-wrap"> </div> <div class="crayon-main"> <table class="crayon-table"> <tbody> <tr class="crayon-row"> <td class="crayon-nums" data-settings="show"> <div class="crayon-nums-content"> <div class="crayon-num" data-line="crayon-5a40613195113132543345-1"><span style="font-family: 'courier new', courier;">1</span></div> <div class="crayon-num crayon-striped-num" data-line="crayon-5a40613195113132543345-2"><span style="font-family: 'courier new', courier;">2</span></div> </div> </td> <td class="crayon-code"> <div class="crayon-pre"> <div id="crayon-5a40613195113132543345-1" class="crayon-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">complete</span><span class="crayon-o">-</span><span class="crayon-e">reload</span></span></div> <div id="crayon-5a40613195113132543345-2" class="crayon-line crayon-striped-line"><span style="font-family: 'courier new', courier;"><span class="crayon-v">firewall</span><span class="crayon-o">-</span><span class="crayon-v">cmd </span><span class="crayon-o">--</span><span class="crayon-v">list</span><span class="crayon-o">-</span><span class="crayon-v">all</span><span class="crayon-o">-</span><span class="crayon-v">zones</span></span></div> </div> </td> </tr> </tbody> </table> <p>----------------------------------------------------------- Tested by lufy -------------------------------------------------------------------------------</p> <p>In short,</p> <p>4 essential steps:</p> <p><span style="font-family: 'courier new', courier;">1. echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf</span></p> <p><span style="font-family: 'courier new', courier;">2. sysctl -p</span></p> <p><span style="font-family: 'courier new', courier;">3. firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth1 -j MASQUERADE -s 172.16.0.0/16</span></p> <p><span style="font-family: 'courier new', courier;">4. firewall-cmd --complete-reload</span></p> <p>------------------------------------------------------------------------------------------------------------------------------------------------------------</p> </div> </div>
Comments (0)
Leave a Comment
No comments yet. Be the first to comment!