[SOLVED] Configuring firewalld to act as a router

Issues related to configuring your network
Post Reply
emddudley
Posts: 6
Joined: 2015/07/23 13:32:18

[SOLVED] Configuring firewalld to act as a router

Post by emddudley » 2015/08/18 21:07:08

I'd like to configure my CentOS 7 machine to act as a router between an LAN and a WAN (I have two NICs). I want machines on my LAN to be able to communicate with machines on the WAN transparently. For example I'd like a LAN machine to be able to ping a WAN machine.

It seems that I would use firewalld for this? I'm having trouble configuring it. I have no experience with firewalld or iptables but I have looked through these resources:
EDIT: See the solution below.

So far I have tried to:

* Enable IP forwarding by adding net.ipv4.ip_forward=1 to /etc/sysctl.d/router.conf and running sudo sysctl -p.
* Add my LAN interface to the internal zone and my WAN interface to the external zone, by adding ZONE=<zone> to the appropriate scripts under /etc/sysconfig/network-scripts
* Enable masquerading on the external zone by running firewall-cmd --permanent--zone=external --add-masquerade

I think I need to add a direct interface now? This is where I'm stuck, I'm not sure what to do.

I've seen sample commands like the following: firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -i eth0 -o eth1 -j MASQUERADE

Is this the right track? Thank you!
Last edited by emddudley on 2015/08/20 15:25:31, edited 1 time in total.

aks
Posts: 2529
Joined: 2014/09/20 11:22:14

Re: Configuring firewalld to act as a router

Post by aks » 2015/08/19 16:15:35

firewalld is a firewall - not a router. The Linux network stack can be a router by enabling forwarding (as you know). You seem to be a little confused about the "separation of concerns".
If you have a NIC with a valid IP address on the same exit network as your WAN connection and you have a NIC with a valid IP address on your internet network, then you only have to allow ICMP echo throught the firewall - this assumes that the end nodes do reply to pings and it's not blocked elsewhere.

Going down the NAT (MASQ) route things get a little more complex. If you exit point is controlled by (say) a JunOS or ScreenOS firewall/router that's also providing NAT services, you can't exit "pretending" to have originated from the outside (well you probably can but that is going to be very complex), that's a fundamental security violation. If you NAT your (local) connection and there is no other NAT in the way (including possibly ISP provided NAT - which they all seem to do) you could use firewalld to provide your NAT services to be able to reach an end point outside your network.

What are you trying to do? Why do you want to do this thing?

emddudley
Posts: 6
Joined: 2015/07/23 13:32:18

Re: Configuring firewalld to act as a router

Post by emddudley » 2015/08/19 19:16:04

I want to configure a CentOS machine to act just like an off-the-shelf hardware router.

The machine has two NICs (LAN and WAN) and will be running a DHCP daemon on the LAN side. The server's WAN interface is assigned an address by a different DHCP server on the WAN side. I want LAN clients to be able to communicate with resources on the WAN side via any protocol (ICMP, UDP, HTTP).

Thank you for your response!

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Configuring firewalld to act as a router

Post by gerald_clark » 2015/08/19 23:03:39

Yous should just buy a router or run canned router software, as you don't seem to understand
the security implications of building your own router.

emddudley
Posts: 6
Joined: 2015/07/23 13:32:18

Re: Configuring firewalld to act as a router

Post by emddudley » 2015/08/20 13:55:26

Yous should just buy a router or run canned router software, as you don't seem to understand the security implications of building your own router.
gerald_clark, do you have any resources on security that you'd recommend? The RHEL 7 Security Guide seems pretty thorough, do you think it is insufficient?

Since my last post I have discovered that iptables appears to suit my needs, when I configure it with the following (where eth0 is my external interface and eth1 is my internal interface):

Code: Select all

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
I am now trying to figure out what I need to do in order for DNS resolution to work on my private LAN.

emddudley
Posts: 6
Joined: 2015/07/23 13:32:18

[SOLVED] Configuring firewalld to act as a router

Post by emddudley » 2015/08/20 15:16:54

OK, things appear to be working. Here's what I needed to do in order to configure firewalld on CentOS 7 to route packets from an internal network to an external network.

I'd be glad for any comments on caveats and security implications for this setup. As I understand it, these rules will permit machines on the internal network to send NATed packets to machines on the external network, and will also permit responses back. Machines on the external network will not be able to initiate communications with machines on the internal network.
  1. Enable IPv4 packet forwarding.
    1. Add the following to /etc/sysctl.conf: net.ipv4.ip_forward = 1
    2. Apply the sysctl settings: sysctl -p
  2. Add direct rules to firewalld. Add the --permanent option to keep these rules across restarts.
    firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth_ext -j MASQUERADE
    firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth_int -o eth_ext -j ACCEPT
    firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth_ext -o eth_int -m state --state RELATED,ESTABLISHED -j ACCEPT
  3. Configure DNS. My machine is running a DHCP server so I configured it to provide the address of the DNS server on my external LAN.

Post Reply