Yves' Blog

CentOS 7 - NAT Router basic configuration

It has been quite a while since I needed to create a CentOS based NAT router and with all the changes in network configuration with CentOS and RHEL 7 it took me a while. Normally most I deal with is either core router or NSX based (DLR or ESG). So I decided to do a little writeup...I used the CentOS 7 minimal installation to start as I want to also reduce the attach pattern.

If required change the hostname:

vi /etc/hostname

If you don't know your interface config you can run:

nmcli device show

If necessary make changes to the network configurations, they can be found in /etc/sysconfig/network-scripts/ifcfg-INTERFACENAME. Always ensure that ONBOOT is set to YES. If any configuration changes were made ensure to restart eh network.

systemctl restart network

Please note which Interface is going to be used as the public and which as the private interface. In my case I will use ens192 as the private interface and ens224 as the public interface.

Next we need to enable IP Forwarding in the kernel:

vi /etc/sysctl_d/ip_forward.conf

and add the following line:

net.ipv4.ip_forward = 1

activate the change:

sysctl -p /etc/sysctl.d/ip_forward.conf

Next step is to configure the firewall to allow IP masquerading between the public and private interfaces (ens224 is the public interface and 10.73.0.0/24 is the private network I will allow):

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o ens224 -j MASQUERADE -s 10.73.0.0/24

Assign the interface to the external firewall zone:

firewall-cmd --change-interface=ens224 --zone=external --permanent

Default zone should be internal:

firewall-cmd --set-default-zone=internal

Reload Firewall:

firewall-cmd --complete-reload

Restart all networking and firewall services:

systemctl restart network && systemctl restart firewalld

Verify the firewall settings:

firewall-cmd --list-all
firewall-cmd --list-all --zone=external