Enabling Routing on Centos 7 with firewalld

I put together a simple script to enable routing on a Centos 7 box with a dual NIC configuration.  It has two prompts, one for the wan adapter name and one for the lan adapter name.  These can be retrieved via ifconfig. My ifconfig output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[root@nuuk scripts]# ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::223:24ff:fe72:f6c5 prefixlen 64 scopeid 0x20 ether 00:23:24:72:f6:c5 txqueuelen 1000 (Ethernet)
RX packets 8281759 bytes 5042396048 (4.6 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16950142 bytes 22811149959 (21.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7c00000-f7c20000

enp0s20u3u1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 71.230.194.57 netmask 255.255.255.0 broadcast 71.230.194.255
inet6 2001:558:6027:19:3dd5:283b:c9cd:5fdc prefixlen 128 scopeid 0x0
inet6 fe80::43a5:d170:98a8:32fd prefixlen 64 scopeid 0x20 ether 00:24:27:fe:3f:77 txqueuelen 1000 (Ethernet)
RX packets 12669955 bytes 16833625289 (15.6 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5602853 bytes 654417477 (624.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 197776 bytes 48982538 (46.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 197776 bytes 48982538 (46.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

enp0s20u3u1 is my upstream adapter and eno1 is coupled to my local LAN network.  If you have not done so already, enable the firewalld service.

…and my simple script:

1
2
3
4
5
6
7
8
9
10
11
12
13
# fullname="USER INPUT"
read -p "Enter WAN NIC (Upstream): " wannic
# user="USER INPUT"
read -p "Enter LAN NIC (Downstream): " lannic

echo $wannic $lannic

cp /scripts/sysctl.conf /etc/sysctl.conf
firewall-cmd --direct --permanent --add-rule ipv4 nat POSTROUTING 0 -o $wannic -j MASQUERADE
firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i $lannic -o $wannic -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i $wannic -o $lannic -m state --state RELATED,ESTABLISHED -j ACCEPT
systemctl restart firewalld
vnstat --create -i $wannic

Some notes – change the working directory as to which the script resides in; this script is configured to live in /scripts/. The cp command copies the sysctl.conf from /scripts/ to /etc/. This is unnecessary as you can simply add net.ipv4.ip_forward=1 to /etc/sysctl.conf or create the file with that line. Reboot the system or restart the service to enable IP forwarding. I created this script because sometimes I periodically swap out different USB lan adapters and need to reconfigure the IP forwarding configuration.

Lima

About the author

Lima is the visual nautical indicator for "stop instantly."

Comments

  1. Pingback: pomoshh-psihologa-online

Leave a Reply