Wednesday, 22 February 2017

Setting up SNAT with IPTables / CentOS 7 (NAT)

This tutorial will demonstrate how SNAT can be setup - in a common configuration - where we have an internal subnet / interface (eno1) and external subnet/internet interface (wlp2s0) and we want to forward traffic from the clients on the internal subnet to the internet interface - while ensuring traffic is NAT'd when it leaves the egress (internet) interface.

Let's firstly enable ip forwarding:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf

sudo sysctl -p

Flush the IPTable chains:

Set the policy for the filter table chains:

sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Flush all tables:
sudo iptables -F -t filter
sudo iptables -F -t nat
sudo iptables -F -t mangle
sudo iptables -F -t raw

Ensure traffic from eno1 is masqueraded - so it will get back to the interface:
iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE

Allow eno1 to forward traffic to wlp2s0:
iptables -t filter -A FORWARD -i eno1 -o wlp2s0 -j ACCEPT

and the return traffic from wlp2s0 to eno1:
iptables -t filter -A FORWARD -i wlp2s0 -o eno1 -j ACCEPT

and block any other forwarding traffic:
iptables -t filter -A FORWARD -j DROP

Now try and ping a remote host from the internal device - if all goes to plan you should get a response back. If you encounter problems you might want to setup IPTables to log dropped packets to help you diagnose where exactly you are going wrong.

It goes without saying - but the final task is to tighten up the IPTables rules e.g. the INPUT/OUTPUT chains in the filter table.


Post a Comment