working with 4 machines, 3 that are on LAN segments (2 centos7 and one server 2012). and the other is acting as a router
i need to give them access to the outside internet.
need a refresher on this. I can't remember how to do it
access to outside network refresher
access to outside network refresher
Last edited by raniraoof on 2020/07/21 01:11:31, edited 1 time in total.
Re: access to outside network refresher
view of iproute from router machine
Re: access to outside network refresher
Please, do not post bitmaps. Copy-paste text. It is more interoperable.
A router requires three things:
1. Routes (that you already have)
2. Routing (i.e. forwarding) enabled
3. Firewall (netfilter) rules to allow forwarded traffic
CentOS 7 has by default NetworkManager and Firewalld services.
Intro to firewalld: https://access.redhat.com/documentation ... _firewalls
However, RHEL 8 documentation: https://access.redhat.com/documentation ... h-nftables
essentially writes:
(assuming name of WAN connection in NetworkManager is "ens33" and LANs are ens[36-38])
The firewalld zone "external" enables routing and masquerades (sNAT) outgoing traffic. Only ssh is allowed into the router from WAN. New connections from WAN to LAN are rejected.
Everything is allowed from trusted zone (LANs) into the router and everything is forwarded too.
If you don't have sNAT on ens33 and/or do not want one LAN to talk to other LAN, then IMHO it is better to craft the firewall rules with iptables.service.
Explicitly enable the routing:
The gist of FORWARD rules:
Commands to see what you have:
A router requires three things:
1. Routes (that you already have)
2. Routing (i.e. forwarding) enabled
3. Firewall (netfilter) rules to allow forwarded traffic
CentOS 7 has by default NetworkManager and Firewalld services.
Intro to firewalld: https://access.redhat.com/documentation ... _firewalls
However, RHEL 8 documentation: https://access.redhat.com/documentation ... h-nftables
essentially writes:
If there were a simple "edge router" with LAN and WAN, and that would NAT the outgoing traffic, then firewalld would allow:Important: To avoid that the different firewall services influence each other, run only one of them on a RHEL host, and disable the other services.
- firewalld: Use the firewalld utility to configure a firewall on workstations. The utility is easy to use and covers the typical use cases for this scenario.
- iptables: Use the iptables utility to set up complex firewalls, such as for a whole network.
(assuming name of WAN connection in NetworkManager is "ens33" and LANs are ens[36-38])
Code: Select all
sudo nmcli con mod ens33 connection.zone external
sudo nmcli con mod ens36 connection.zone trusted
sudo nmcli con mod ens37 connection.zone trusted
sudo nmcli con mod ens38 connection.zone trusted
Everything is allowed from trusted zone (LANs) into the router and everything is forwarded too.
If you don't have sNAT on ens33 and/or do not want one LAN to talk to other LAN, then IMHO it is better to craft the firewall rules with iptables.service.
Explicitly enable the routing:
Code: Select all
$ cat /etc/sysctl.d/router.conf
net.ipv4.ip_forward = 1
Code: Select all
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i ens36 -o ens33 -j ACCEPT
-A FORWARD -i ens37 -o ens33 -j ACCEPT
-A FORWARD -i ens38 -o ens33 -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
Code: Select all
nmcli
nmcli dev s
nmcli con s
nmcli con s $name_of_connection
firewall-cmd --get-active-zones
iptables -S
iptables -t nat -S