Making a CentOS 7 linux host as a router

firewall

Linux has the provision to work as a router connecting two networks.

In this example we have two NICs in the host.

]# ifconfig
…… ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
…… inet 20.10.0.16 netmask 255.255.240.0 broadcast 10.10.15.255
…… inet6 fe80::20c:29ff:fe6c:6584 prefixlen 64 scopeid 0x20<link>
…… ether 00:0c:29:6c:65:84 txqueuelen 1000 (Ethernet)
…… RX packets 682114 bytes 365768764 (348.8 MiB)
…… RX errors 0 dropped 1369 overruns 0 frame 0
…… TX packets 273180 bytes 27270276 (26.0 MiB)
…… TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
……
…… ens34: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
…… inet 20.246.32.71 netmask 255.255.252.0 broadcast 10.246.35.255
…… inet6 fe80::20c:29ff:fe6c:658e prefixlen 64 scopeid 0x20<link>
…… ether 00:0c:29:6c:65:8e txqueuelen 1000 (Ethernet)
…… RX packets 819253 bytes 84669138 (80.7 MiB)
…… RX errors 0 dropped 0 overruns 0 frame 0
…… TX packets 394951 bytes 43114846 (41.1 MiB)
…… TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

We will use ens32 to connect to our local LAN and ens34 for external network

Note: From the localhost, we should be able to access both the networks

List the default zone and the services allowed to access
]# firewall-cmd –list-all

Check which interface is connected to external zone
]# firewall-cmd –list-all –zone=external

Make ens34 part of external zone
]# firewall-cmd –change-interface=ens34 –zone=external
]# firewall-cmd –change-interface=ens34 –zone=external –permanent

Reload firewalld configuration
]# firewall-cmd –complete-reload

Make ens32 part of internal zone
]# firewall-cmd –change-interface=ens32 –zone=internal –permanent

]# firewall-cmd –zone=internal –add-service=http

*** Testing ***

In a host inside the local LAN add a route to make “20.246.32.71” as the route to “20.10.0.16/255.255.240.0” and try to access a site hosted in a server in the external LAN.