Topology:
Client1
+------+
+----+ |
+ 192.168.1.131 | +------+
+---------------+ | |
| | v |
| | +------+ |
| Internet +------------+ +------------+
| | +------+ |
| | Gateway ^ |
+---------------+ | |
| | +------+
| +----+ |
172.16.75.1 + +------+
Gateway's interfaces:
- WLAN0 outside (192.168.1.131/24), this network is my home's regular LAN connected to the internet
- ETH0 inside (172.16.75.1/24)
Assumptions:
DHCP server is set in the gateway servicing clients in ETH0, default gateway is ETH0's ip with dns servers: 4.2.2.2,4.2.2.1
*Enable IP forwarding(cat /proc/sys/net/ipv4/ip_forward)
[root@gateway ~]# sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1
*Set default policies to ACCEPT
[root@gateway ~]# iptables -P INPUT ACCEPT
[root@gateway ~]# iptables -P OUTPUT ACCEPT
[root@gateway ~]# iptables -P FORWARD ACCEPT
*Reset all rules in filter and nat tables, we want to be in full control ;)
[root@gateway ~]# iptables -t nat --flush
[root@gateway ~]# iptables -t filter --flush
*Verify we have no rules
[root@gateway ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@gateway ~]#
[root@gateway ~]#
[root@gateway ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
*Save our changes so far
[root@gateway ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
*Enable NAT, wlan0 is our outside interface. This is where the magic happens.
[root@gateway ~]# iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
* Save and restart
[root@gateway ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@gateway ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: nat filter [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
* Verify once more
[root@gateway ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@gateway ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
* Clients in the inside interface(eth0) should now be able to ping the internet :)
[acool@client1 ~]$
[acool@client1 ~]$ ping -c 2 yahoo.com
PING yahoo.com (98.138.253.109) 56(84) bytes of data.
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=1 ttl=41 time=78.1 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_seq=2 ttl=41 time=84.5 ms
--- yahoo.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 78.154/81.349/84.544/3.195 ms
[acool@client1 ~]$
* Security
[root@gateway ~]# iptables -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT #allow incoming connections internally initiated
[root@gateway ~]# iptables -A INPUT -i wlan0 -p tcp --dport 22 -j ACCEPT # allow ssh
[root@gateway ~]# iptables -A INPUT -i wlan0 -j DROP # drop everything else
* Save & restart
[root@gateway ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@gateway ~]# service iptables restart
iptables: Setting chains to policy ACCEPT: filter nat [ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
* Verify (only the filter table should have changes)
[root@gateway ~]# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@gateway ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@gateway ~]#
[root@gateway ~]#
[root@gateway ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:24:d2:de:4e:92 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.131/24 brd 192.168.1.255 scope global wlan0
inet6 2002:68af:f6e8:0:224:d2ff:fede:4e92/64 scope global dynamic
valid_lft 30sec preferred_lft 20sec
inet6 fe80::224:d2ff:fede:4e92/64 scope link
valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:13:77:bb:9a:e7 brd ff:ff:ff:ff:ff:ff
inet 172.16.75.1/16 brd 172.16.255.255 scope global eth0
inet6 fe80::213:77ff:febb:9ae7/64 scope link
valid_lft forever preferred_lft forever
[root@gateway ~]#
[root@gateway ~]#
[root@gateway ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:77:BB:9A:E7
inet addr:172.16.75.1 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::213:77ff:febb:9ae7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:43985 errors:0 dropped:0 overruns:0 frame:0
TX packets:49958 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6091788 (5.8 MiB) TX bytes:50032578 (47.7 MiB)
Interrupt:18
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:44 errors:0 dropped:0 overruns:0 frame:0
TX packets:44 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6594 (6.4 KiB) TX bytes:6594 (6.4 KiB)
wlan0 Link encap:Ethernet HWaddr 00:24:D2:DE:4E:92
inet addr:192.168.1.131 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: 2002:68af:f6e8:0:224:d2ff:fede:4e92/64 Scope:Global
inet6 addr: fe80::224:d2ff:fede:4e92/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:82964 errors:0 dropped:0 overruns:0 frame:0
TX packets:59507 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:73241396 (69.8 MiB) TX bytes:9284164 (8.8 MiB)
[root@gateway ~]#
* Client IP
[acool@client1 ~]$ ifconfig enp0s25
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.75.3 netmask 255.255.255.0 broadcast 172.16.75.255
inet6 fe80::6ab5:99ff:fef8:6ecc prefixlen 64 scopeid 0x20<link>
ether 68:b5:99:f8:6e:cc txqueuelen 1000 (Ethernet)
RX packets 12678 bytes 7212505 (6.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16512 bytes 2645234 (2.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xd7400000-d7420000
NOTE: Use the -v to get more details:
[root@gateway ~]# iptables -t filter -L -v
Chain INPUT (policy ACCEPT 285 packets, 23628 bytes)
pkts bytes target prot opt in out source destination
7 609 ACCEPT all -- wlan0 any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- wlan0 any anywhere anywhere tcp dpt:ssh
49 3562 DROP all -- wlan0 any anywhere anywhere
Chain FORWARD (policy ACCEPT 259 packets, 102K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 209 packets, 28461 bytes)
pkts bytes target prot opt in out source destination
[root@gateway ~]#
[root@gateway ~]#
[root@gateway ~]#
[root@gateway ~]# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 61 packets, 4875 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 116 bytes)
pkts bytes target prot opt in out source destination
37 2292 MASQUERADE all -- any wlan0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 8 packets, 631 bytes)
pkts bytes target prot opt in out source destination
[root@gateway ~]#
[ view entry ] ( 1316 views ) | print article
<<First <Back | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | Next> Last>>