Max Pyziur
2015-Jun-28 18:50 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
Greetings, I'm rebuilding a machine to function as a gateway/router to Verizon DSL. It has two NICs eth0 and eth1 (static set to 192.168.1.1). eth0 connects to the DSL modem. I've setup Verizon DSL usine pppoe-setup, and it works. I can connect from home machines to the server (192.168.1.1); while logged in to the server, I can connect to both the internet, and the home machines. But ... I can't connect from the home machines directly to the Internet. I have set net.ipv4.ip_forward = 1 in /etc/sysctl.conf I haven't setup the firewall yet (dangerous, I know) until I get the connectivity working. I'm obviously overlooking some other configuration settings required for machines inside the network being able to connect through the gateway/router. Thanks for any advice in advance. Max Pyziur pyz at brama.com
Listman
2015-Jun-28 19:20 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
You need NAT setup on the server. ZK> On Jun 28, 2015, at 2:50 PM, Max Pyziur <pyz at brama.com> wrote: > > > Greetings, > > I'm rebuilding a machine to function as a gateway/router to Verizon DSL. > > It has two NICs eth0 and eth1 (static set to 192.168.1.1). > > eth0 connects to the DSL modem. > > I've setup Verizon DSL usine pppoe-setup, and it works. > > > I can connect from home machines to the server (192.168.1.1); while logged in to the server, I can connect to both the internet, and the home machines. > > But ... > > I can't connect from the home machines directly to the Internet. > > I have set > net.ipv4.ip_forward = 1 > in /etc/sysctl.conf > > I haven't setup the firewall yet (dangerous, I know) until I get the connectivity working. > > I'm obviously overlooking some other configuration settings required for machines inside the network being able to connect through the gateway/router. > > Thanks for any advice in advance. > > > Max Pyziur > pyz at brama.com > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
Alexander Dalloz
2015-Jun-28 19:20 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
Am 28.06.2015 um 20:50 schrieb Max Pyziur: [ ... ]> I can't connect from the home machines directly to the Internet. > > I have set > net.ipv4.ip_forward = 1 > in /etc/sysctl.conf > > I haven't setup the firewall yet (dangerous, I know) until I get the > connectivity working.Part of the firewall setup (iptables) is to configure masquerading. That's you issue, the missing masquerading of the traffic from the LAN hosts through the gateway.> I'm obviously overlooking some other configuration settings required for > machines inside the network being able to connect through the > gateway/router. > > Thanks for any advice in advance. > > > Max Pyziur > pyz at brama.comAlexander
Brian Miller
2015-Jun-28 19:32 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On Sun, 2015-06-28 at 14:50 -0400, Max Pyziur wrote:> I haven't setup the firewall yet (dangerous, I know) until I get the > connectivity working. > > I'm obviously overlooking some other configuration settings required for > machines inside the network being able to connect through the > gateway/router.As others have pointed out, you're either missing a NAT layer or you got a large enough IP allocation to subnet and you haven't set up routing. Probably safe to assume it's NAT. I'd suggest at a minimum you install something like shorewall to assist in managing your firewall and IP masquerading tasks. It's available in EPEL, is very well documented, and provides enough built in sanity checks to protect you against making some silly (and some not so silly) mistakes in your firewall management.
Max Pyziur
2015-Jun-28 22:49 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On Sun, 28 Jun 2015, Brian Miller wrote:> On Sun, 2015-06-28 at 14:50 -0400, Max Pyziur wrote: > >> I haven't setup the firewall yet (dangerous, I know) until I get the >> connectivity working. >> >> I'm obviously overlooking some other configuration settings required for >> machines inside the network being able to connect through the >> gateway/router. > > As others have pointed out, you're either missing a NAT layer or you got > a large enough IP allocation to subnet and you haven't set up routing. > Probably safe to assume it's NAT. > > I'd suggest at a minimum you install something like shorewall to assist > in managing your firewall and IP masquerading tasks. It's available in > EPEL, is very well documented, and provides enough built in sanity > checks to protect you against making some silly (and some not so silly) > mistakes in your firewall management.Thanks to all for pointing me in the direction of iptables and IP masquerading.>From several sources, code, the stock CentOS iptables I've cobbled thefollowing /etc/sysconfig/iptables; while it works, I suspect that there are holes: # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT COMMIT I also seem to need to load iptable_nat nf_nat_ftp via rc.local Is this correct? Thank you again, Max
zep
2015-Jun-28 23:16 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On 06/28/2015 03:20 PM, Alexander Dalloz wrote:> Am 28.06.2015 um 20:50 schrieb Max Pyziur: > > > Part of the firewall setup (iptables) is to configure masquerading. > That's you issue, the missing masquerading of the traffic from the LAN > hosts through the gateway. > >> I'm obviously overlooking some other configuration settings required for >> machines inside the network being able to connect through the >> gateway/router. >> >> Thanks for any advice in advanceas others have stated, you need to use nating; you won't actually be routing traffic (unless you've been allocated a routable network. which is possible, but pretty unlikely). the script I use (stolen from some google search, I'm sure. I can't give proper attribution if pressed): iptables --flush # Flush all the rules in filter and nat tables iptables --table nat --flush iptables --delete-chain # Delete all chains that are not in default filter and nat table iptables --table nat --delete-chain # Set up IP FORWARDing and Masquerading iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE iptables --append FORWARD --in-interface eth3 -j ACCEPT # Enables packet forwarding by kernel echo 1 > /proc/sys/net/ipv4/ip_forward in this case eth3 would be your local, non-routed network (e.g. 10.* or 192.168.*) and eth2 would be your regular network interface (like the one plugged into your cable modem or DSL connection) it'd likely need to be customized for your environment and running it would likely destroy any firewall rules you have setup, fair warning. -- public gpg key id: AE60F64C
Sorin Srbu
2015-Jun-29 06:11 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
> -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of Max Pyziur > Sent: den 28 juni 2015 20:50 > To: centos at centos.org > Subject: [CentOS] Using a CentOS 6 Machine as a gateway/router/home > server > > I'm rebuilding a machine to function as a gateway/router to Verizon DSL.Hi, May I ask why you don't just use a made-for-the-purpose-distro like Smoothwall to do this? I takes (almost) all of the pain out of configuring stuff, and is quite secure due to not having as much "junk" pre-installed as CentOS 6? -- //Sorin
Sorin Srbu
2015-Jun-29 06:14 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
> -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of Sorin Srbu > Sent: den 29 juni 2015 08:11 > To: CentOS mailing list > Subject: Re: [CentOS] Using a CentOS 6 Machine as a gateway/router/home > server > > > -----Original Message----- > > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] > On > > Behalf Of Max Pyziur > > Sent: den 28 juni 2015 20:50 > > To: centos at centos.org > > Subject: [CentOS] Using a CentOS 6 Machine as a gateway/router/home > > server > > > > I'm rebuilding a machine to function as a gateway/router to Verizon DSL. > > May I ask why you don't just use a made-for-the-purpose-distro like > Smoothwall to do this? > I takes (almost) all of the pain out of configuring stuff, and is quitesecure due> to not having as much "junk" pre-installed as CentOS 6?Please note: I'm not criticizing, just curious about the argument behind using a regular OS to do firewall-stuff. -- //Sorin
John R Pierce
2015-Jun-29 06:29 UTC
[CentOS] Using a CentOS 6 Machine as a gateway/router/home server
On 6/28/2015 11:11 PM, Sorin Srbu wrote:> May I ask why you don't just use a made-for-the-purpose-distro like > Smoothwall to do this?indeed, I use pfSense, running on a APU1D4 [1] router board as my firewall, and a separate home server on a HP Microserver [2]. IMHO, keeping the firewall function completely separate simplifies security. that router board can handle 300 Mbit/sec of NAT firewall rules, since I only have 30Mbit internet, thats plenty of headroom. the Microserver has 4x3 TB SATA drives in a raidZ (ZFS) for 7.5 TiB usable. I can muck about with the server at my leisure, and reboot it, and not affect internet routing to my wife. the firewall doesn't need mucking about with and has uptimes measured in months (time between pfSense upgrades). pfSense provides the DHCP and DNS and NTP services for the LAN. [1] http://store.netgate.com/kit-APU1C4.aspx [2] http://www8.hp.com/h20195/v2/GetPDF.aspx/c04111079.pdf -- john r pierce, recycling bits in santa cruz