NAT doesnt work on CentOS 7(Firewalld)

Question

I have configured nat to make my CentOS 7 into a router. I have used firewalld to do this. But unfortunately it doesnt work. I have no idea which causes the issue. I tried the same configuration in Virtual Box and it is working. If I did the same config in the production server it doesnt.

Eth0 ip– my static ip

mask-255.255.252.0

gateway-my ISP gateway

eth1

ip-192.168.1.30

mask-255.255.255.0

1) Enabled packet forwarding

vi /etc/sysctl.conf

added “net.ipv4.ip_forward=1”

sysctl –p

2) Configuring the NAT in firewalld

i) Integrating the interface “eth1” to the internal zone

Firewall-cmd --change-interface=eth1 --zone=internal --permanent

• Masquerading was “off” in default

ii) Integrating the interface “eth0” to the external zone

Firewall-cmd --change-interface=eth0 --zone=external --permanent

iii) Changed “internal zone” as the default zone

Firewall-cmd --set-default-sone=internal --permanent

iv) Added DNS to pass through “internal zone”

Firewall-cmd --zone=internal --add-service=dns –-permanent

3) Saved the firewall configuration

Firewall-cmd --reload

Firewall-cmd --complete-reload

4) Also tried in the iptables

Iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE

Iptables –A FORWARD –i eth1 –j ACCEPT

Echo > 1 /proc/sysc/net/ipv4/ip_forward

Service iptables restart

score 5 · Answer 1 · answered Jan 30 '15 at 20:14

5

I don't see in your configuration where you set the masquerade option for your external interface.

firewall-cmd --zone=external --add-masquerade --permanent

This is what worked for me when I started playing with the infamous firewalld

answered Jan 30 '15 at 20:14

JuxVP

106
4

1

masquerade is enabled by default in external zone – Anbu Jan 31 '15 at 11:02

score 0 · Answer 2 · answered Mar 11 '17 at 12:57

I think you need to set up masquerade on the internal zone not he external one..

Admittedly I haven figured out firewalld yet but CentOS 7.3 running IPTables, I was able to NAT an external request to 8806 to in internal IP on port 3306 for mysql connections, with the following configuration:

[root@firewall-dnat ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Tue Mar 7 20:06:21 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [343:41670]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -i eth0 -p tcp -m tcp --dport 8806 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Mar 7 20:06:21 2017
# Generated by iptables-save v1.4.21 on Tue Mar 7 20:06:21 2017
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:76]
:POSTROUTING ACCEPT [1:76]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 8806 -j DNAT --to-destination 10.208.135.106:3306
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Tue Mar 7 20:06:21 2017

Note now masquerade is set on the outbound traffic of eth1 (my internal interface).

Heres what the 3 -server lab kinda looked like:

[client] -> eth0 (public) -> mysql port 8806 -> eth0 (public) [firewall-dnat] eth1 (internal) -> mysqlport 3306 -> eth1 (internal) db1 (mariadb)

Hope that helps.

NAT doesnt work on CentOS 7(Firewalld)

2 Answers2