Skip to content

Instantly share code, notes, and snippets.

@walbert947
Last active April 9, 2024 15:35
Show Gist options
  • Save walbert947/2abccf590cc32cf107da to your computer and use it in GitHub Desktop.
Save walbert947/2abccf590cc32cf107da to your computer and use it in GitHub Desktop.
Configure a simple IPv4 NAT router on CentOS 7
# NOTE: This gist includes the '.sh' extension to enable syntax highlighting
# on the gist web viewer. However, it is NOT intended to be run as a script.
# These are just notes I took.
################################################################################
#
# CentOS 7 - Simple IPv4 NAT Router
#
# This gist provides a brief walkthough on setting up a simple NAT router on
# CentOS 7 that will allow multiple machines on an internal network to share
# a single external IPv4 address.
#
# (Other members of the EL 7 family should work as well.)
#
# This gist makes the following assumptions:
# - The router is running a fresh, minimal install of CentOS 7
# - The router has two interfaces: eth0 and eth1
# - The eth0 interface is connected to the public network
# - The eth1 interface is connected to the private network
# - The appropriate interface scripts in /etc/sysconfig/network-scripts have
# been configured
#
# All commands are intended to be run on the machine that will act as the
# NAT router.
#
################################################################################
#
# External zone
#
# Review the external zone. By default, ssh is listed as a service.
firewall-cmd --permanent --zone=external --list-all
# OPTIONAL: Remove ssh from the external zone.
firewall-cmd --permanent --zone=external --remove-service=ssh
#
# Internal zone
#
# Review the internal zone. By default, there are several allowed services.
firewall-cmd --permanent --zone=internal --list-all
# OPTIONAL: Remove all unneeded services from the internal zone.
firewall-cmd --permanent --zone=internal --remove-service=ipp-client
firewall-cmd --permanent --zone=internal --remove-service=mdns
firewall-cmd --permanent --zone=internal --remove-service=samba-client
firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
#
# Zone Assignments
#
# Move eth0 to the external zone.
echo 'ZONE=external' >> /etc/sysconfig/network-scripts/ifcfg-eth0
# Move eth1 to the internal zone.
echo 'ZONE=internal' >> /etc/sysconfig/network-scripts/ifcfg-eth1
#
# Apply configuration
#
# Reload the firewall to apply the configuation (WARNING: will drop traffic).
firewall-cmd --complete-reload
# Bounce both of the interfaces.
ifdown eth0 && ifup eth0
ifdown eth1 && ifup eth1
#
# Verification
#
# Verify that the zones are configured with the correct services and
# interfaces.
firewall-cmd --zone=internal --list-all
firewall-cmd --zone=external --list-all
# Traffic should now be forwarding properly between the internal and
# external networks. :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment