access to outside network refresher

Issues related to configuring your network
Post Reply
Posts: 12
Joined: 2019/02/12 00:47:50

access to outside network refresher

Post by raniraoof » 2020/07/21 00:28:38

working with 4 machines, 3 that are on LAN segments (2 centos7 and one server 2012). and the other is acting as a router
i need to give them access to the outside internet.
need a refresher on this. I can't remember how to do it
Last edited by raniraoof on 2020/07/21 01:11:31, edited 1 time in total.

Posts: 12
Joined: 2019/02/12 00:47:50

Re: access to outside network refresher

Post by raniraoof » 2020/07/21 00:36:46

Screenshot (1).png
Screenshot (1).png (6.46 KiB) Viewed 76 times
view of iproute from router machine

User avatar
Posts: 2921
Joined: 2007/12/11 08:17:33
Location: Finland

Re: access to outside network refresher

Post by jlehtone » 2020/07/21 07:26:56

Please, do not post bitmaps. Copy-paste text. It is more interoperable.

A router requires three things:
1. Routes (that you already have)
2. Routing (i.e. forwarding) enabled
3. Firewall (netfilter) rules to allow forwarded traffic

CentOS 7 has by default NetworkManager and Firewalld services.
Intro to firewalld: ... _firewalls

However, RHEL 8 documentation: ... h-nftables
essentially writes:
  • firewalld: Use the firewalld utility to configure a firewall on workstations. The utility is easy to use and covers the typical use cases for this scenario.
  • iptables: Use the iptables utility to set up complex firewalls, such as for a whole network.
Important: To avoid that the different firewall services influence each other, run only one of them on a RHEL host, and disable the other services.
If there were a simple "edge router" with LAN and WAN, and that would NAT the outgoing traffic, then firewalld would allow:
(assuming name of WAN connection in NetworkManager is "ens33" and LANs are ens[36-38])

Code: Select all

sudo nmcli con mod ens33 external
sudo nmcli con mod ens36 trusted
sudo nmcli con mod ens37 trusted
sudo nmcli con mod ens38 trusted
The firewalld zone "external" enables routing and masquerades (sNAT) outgoing traffic. Only ssh is allowed into the router from WAN. New connections from WAN to LAN are rejected.

Everything is allowed from trusted zone (LANs) into the router and everything is forwarded too.

If you don't have sNAT on ens33 and/or do not want one LAN to talk to other LAN, then IMHO it is better to craft the firewall rules with iptables.service.

Explicitly enable the routing:

Code: Select all

$ cat /etc/sysctl.d/router.conf
net.ipv4.ip_forward = 1
The gist of FORWARD rules:

Code: Select all

-A FORWARD -i ens36 -o ens33 -j ACCEPT
-A FORWARD -i ens37 -o ens33 -j ACCEPT
-A FORWARD -i ens38 -o ens33 -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Commands to see what you have:

Code: Select all

nmcli dev s
nmcli con s
nmcli con s $name_of_connection
firewall-cmd --get-active-zones
iptables -S
iptables -t nat -S

Post Reply

Return to “CentOS 7 - Networking Support”