Simple NAT gateway on CentOS 7.
Quite often there is a need to organize simple NAT gateway for different purposes (mostly for test environments and when we're lacking of network equipment that can be used).
This example will show how to configure NAT gateway base on CentOs 7 server using firewalld. To operate with firewalld deamon we will use firewall-cmd client.
According to official description from firewalld.org (http://www.firewalld.org/documentation/man-pages/firewall-cmd.html):
"The firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration."
Source configuration consists of two servers:
1) gw01.test.lab
eth0 - DHCP configuration received from ISP.
eth1 - 10.0.0.1/24
2) srv01.test.lab
eth0 - 10.0.0.2/24 (GW 10.0.0.1 and DNS servers from ISP).
Step below will help you to configure our solution step by step.
Step 1. Enable packet forwarding.
Modify /etc/sysctl.conf file using your favorite text editor adding parameter specified below:
net.ipv4.ip_forward = 1
To avoid reboot do the same change on fly using sysctl:
sysctl -w net.ipv4.ip_forward=1
After modification of sysctl.conf was done we need to enable those changes
sysctl -p /etc/sysctl.conf
Step 2. Add network interfaces to proper zones using fiirewall-cmd.
firewall-cmd --zone=external --add-interface=eth0 --permanent
firewall-cmd --zone=internal --add-interface=eth1 --permanent
In case if mistake was done you can always delete wrong assignment using next command:
firewall-cmd --zone=<zone name> --remove-interface=<interface name>
Step 3. Reload firewall configuration
firewall-cmd --reload
Step 4. Check if configuration was successfully accepted
firewall-cmd --list-all-zones
Step 5. Enable masquerade for those interfaces which are in external zoneIP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well.
firewall-cmd --zone=external --add-masquerade --permanent
Step 6. Configure NAT rule for the external interface on gateway server
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.0.0/24
Step 7. Allow traffic for specific services to be allowed in internal zone
firewall-cmd --permanent --zone=internal --add-service=<service name>
In my case only dns and ssh was needed to be allowed:
firewall-cmd --permanent --zone=internal --add-service=dns
firewall-cmd --permanent --zone=internal --add-service=ssh
Step 8. Reload configuration once again
firewall-cmd --reload
Hope it will help someone for quick configuration of NAT gateway.
Thanks and more articles coming soon!
Quite often there is a need to organize simple NAT gateway for different purposes (mostly for test environments and when we're lacking of network equipment that can be used).
This example will show how to configure NAT gateway base on CentOs 7 server using firewalld. To operate with firewalld deamon we will use firewall-cmd client.
According to official description from firewalld.org (http://www.firewalld.org/documentation/man-pages/firewall-cmd.html):
"The firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration."
Source configuration consists of two servers:
1) gw01.test.lab
eth0 - DHCP configuration received from ISP.
eth1 - 10.0.0.1/24
2) srv01.test.lab
eth0 - 10.0.0.2/24 (GW 10.0.0.1 and DNS servers from ISP).
Step below will help you to configure our solution step by step.
Step 1. Enable packet forwarding.
Modify /etc/sysctl.conf file using your favorite text editor adding parameter specified below:
net.ipv4.ip_forward = 1
To avoid reboot do the same change on fly using sysctl:
sysctl -w net.ipv4.ip_forward=1
After modification of sysctl.conf was done we need to enable those changes
: sysctl -p /etc/sysctl.conf
Step 2. Add network interfaces to proper zones using fiirewall-cmd.
firewall-cmd --zone=external --add-interface=eth0 --permanent
firewall-cmd --zone=internal --add-interface=eth1 --permanent
In case if mistake was done you can always delete wrong assignment using next command:
firewall-cmd --zone=<zone name> --remove-interface=<interface name>
Step 3. Reload firewall configuration
firewall-cmd --reload
Step 4. Check if configuration was successfully accepted
firewall-cmd --list-all-zones
Step 5. Enable masquerade for those interfaces which are in external zoneIP Masquerade is a networking function in Linux similar to the one-to-many (1:Many) NAT (Network Address Translation) servers found in many commercial firewalls and network routers. For example, if a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other "internal" computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well.
firewall-cmd --zone=external --add-masquerade --permanent
Step 6. Configure NAT rule for the external interface on gateway server
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 10.0.0.0/24
Step 7. Allow traffic for specific services to be allowed in internal zone
firewall-cmd --permanent --zone=internal --add-service=<service name>
In my case only dns and ssh was needed to be allowed:
firewall-cmd --permanent --zone=internal --add-service=dns
firewall-cmd --permanent --zone=internal --add-service=ssh
Step 8. Reload configuration once again
firewall-cmd --reload
Hope it will help someone for quick configuration of NAT gateway.
Thanks and more articles coming soon!
This comment has been removed by the author.
ReplyDeleteWhat is the difference of your method for this?:
ReplyDeletehttps://devops.ionos.com/tutorials/deploy-outbound-nat-gateway-on-centos-7/