Last active
March 11, 2025 10:24
-
-
Save walbert947/2abccf590cc32cf107da to your computer and use it in GitHub Desktop.
Configure a simple IPv4 NAT router on CentOS 7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE: This gist includes the '.sh' extension to enable syntax highlighting | |
| # on the gist web viewer. However, it is NOT intended to be run as a script. | |
| # These are just notes I took. | |
| ################################################################################ | |
| # | |
| # CentOS 7 - Simple IPv4 NAT Router | |
| # | |
| # This gist provides a brief walkthough on setting up a simple NAT router on | |
| # CentOS 7 that will allow multiple machines on an internal network to share | |
| # a single external IPv4 address. | |
| # | |
| # (Other members of the EL 7 family should work as well.) | |
| # | |
| # This gist makes the following assumptions: | |
| # - The router is running a fresh, minimal install of CentOS 7 | |
| # - The router has two interfaces: eth0 and eth1 | |
| # - The eth0 interface is connected to the public network | |
| # - The eth1 interface is connected to the private network | |
| # - The appropriate interface scripts in /etc/sysconfig/network-scripts have | |
| # been configured | |
| # | |
| # All commands are intended to be run on the machine that will act as the | |
| # NAT router. | |
| # | |
| ################################################################################ | |
| # | |
| # External zone | |
| # | |
| # Review the external zone. By default, ssh is listed as a service. | |
| firewall-cmd --permanent --zone=external --list-all | |
| # OPTIONAL: Remove ssh from the external zone. | |
| firewall-cmd --permanent --zone=external --remove-service=ssh | |
| # | |
| # Internal zone | |
| # | |
| # Review the internal zone. By default, there are several allowed services. | |
| firewall-cmd --permanent --zone=internal --list-all | |
| # OPTIONAL: Remove all unneeded services from the internal zone. | |
| firewall-cmd --permanent --zone=internal --remove-service=ipp-client | |
| firewall-cmd --permanent --zone=internal --remove-service=mdns | |
| firewall-cmd --permanent --zone=internal --remove-service=samba-client | |
| firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client | |
| # | |
| # Zone Assignments | |
| # | |
| # Move eth0 to the external zone. | |
| echo 'ZONE=external' >> /etc/sysconfig/network-scripts/ifcfg-eth0 | |
| # Move eth1 to the internal zone. | |
| echo 'ZONE=internal' >> /etc/sysconfig/network-scripts/ifcfg-eth1 | |
| # | |
| # Apply configuration | |
| # | |
| # Reload the firewall to apply the configuation (WARNING: will drop traffic). | |
| firewall-cmd --complete-reload | |
| # Bounce both of the interfaces. | |
| ifdown eth0 && ifup eth0 | |
| ifdown eth1 && ifup eth1 | |
| # | |
| # Verification | |
| # | |
| # Verify that the zones are configured with the correct services and | |
| # interfaces. | |
| firewall-cmd --zone=internal --list-all | |
| firewall-cmd --zone=external --list-all | |
| # Traffic should now be forwarding properly between the internal and | |
| # external networks. :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment