How do i setup NAT iptables in Linux rhel 7

Hi All

      i,m new in linux currently setting up a linux rhel 7 with 2 NIC, one to WAN, another one to LAN, typed with below command, and tested the client computer to can not connected to internet, statis ip has assigned to the client computer with gateway pointing to the linux server with public ip for dns, any idea what goes wrong ?

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o ens192 -j MASQUERADE  


Keith
piaakitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

piaakitAuthor Commented:
vim /etc/sysconfig/iptables  , can not see the entry i add for "iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o ens192 -j MASQUERADE  "  , any idea?

1
0
matrix8086Commented:
The ideea is as follows:

What you type in the shell (command line) the change is not permanent. to do it permanent you should write the comands in the file configurations and reload the service.

For ex.: you shoul add

iptables -A POSTROUTING -t nat -s 192.168.1.0/24 -o ens192 -j MASQUERADE
iptables -A FORWARD -i ens_lan -j ACCEPT


before the first REJECT in /etc/sysconfig/iptables and then restart iptables service: systemctl restart iptables

Also, you should disable firewalld:

systemctl stop firewalld
systemctl disable firewalld


and then enable iptables

systemctl enable iptables
systemctl start iptables


check this tutorial: https://www.youtube.com/watch?v=7VXBjzPHwCA
0
piaakitAuthor Commented:
The above works, but when I reboot the Linux, the client computer can not access to Internet, any idea ?
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

piaakitAuthor Commented:
when i start the iptables i received below error

2
0
arnoldCommented:
Usually the /etc/sysconfig/iptables is not updated until /etc/init.d/iptables save is run.

/etc/init.d/iptables
You will be shown usage of the service.

-A adds the line at the end if you gave a explicit deny when you start, the new one will be added below it and will never be evaluated.

Iptables -L --line-numbers will include line numbers for each chain which you can use with the -I option

iptables -t filter -I INPUT 4 ...

The above will add the specified rule as line number four of the INPUT chain.

Some can be simplified through the use of your own defined chains that are then added into the applicable predefined chains in the manner you wish them applied.  The benefit is that you add a rule to your chain and thus implement it as you need it which often needs to have rules added to at least two chains input/forward ....
0
piaakitAuthor Commented:
sorry i'm new in linux, so that i need to put   " /etc/init.d/iptables "  to save the config ?  how about the command for " iptables-save > /etc/sysconfig/iptables" , i have typed that, and doesnt work after the reboot, are they work differently ?
0
arnoldCommented:
I tend to use the command I outlined.

Pages you use iptable -A you make changes in real time to the running firewall configuration to comit the changes you would run /etc/init.d/iptables save which will update the /etc/sysconfig/iptables to include the changes you made.

The reason you should not be modifying iptables directly is that an error there will not manifest nor can be cleared by a reboot.
0
piaakitAuthor Commented:
sorry I can not find iptables in below path, do you mind to tell me in simple way what command I need to type ? sorry I,m really new in Linux, any help would be appreciate !
C--Users-piaakit-Desktop-expert-exchange
0
piaakitAuthor Commented:
This is what my iptables look like from /etc/sysconfig/iptables

4
0
arnoldCommented:
The two lines:
-A FORWARD -i ens224
-A FORWARD -i ens192

do you actually have these interfaces (ifconfig -a)

try the following,
service iptables
does it give you a list of arguments start, stop, restart, reconfig, reload, save?
service iptables save will handle the save of the current rules so that they will be set on restart.

See whether you can mange firewall rules within webmin.
Also see whether you have system-config-firewall or system-config-firewall-tui
The tui runs in ASCII/ANSI terminal and does not need a graphical redirect as the system-config-firewall does.
yum search system-config
Will provide a list of tools that RHEL includes to manage different aspects of the system.
0
piaakitAuthor Commented:
Hi arnold


                i have the 2 interfaces, and i could use "service iptables save", and in webmin I could manage the firewall,


5
6
7
0
piaakitAuthor Commented:
just try to reboot, my client pc can not even ping the Linux 7, I need to go back to the previous snapshot from vm in order to access back to internet,
0
arnoldCommented:
Not sure what happened in between.

At this point, you have the way to save the changes you make.
Now this system is being used to provide internet connection to the LAN?
I.e. this linux VM will function as a router?
I think getting sidetracked here.
0
gheistCommented:
firewall-cmd --query-masquerade
firewall-cmd --zone=eth4 --add-masquerade --permanent
0
matrix8086Commented:
Did you disabled the firewalld? You cannot have firewalld and iptables. IN RHEL7 the iptables is disabled by default and the default firewall is firewalld. You shoud decide which one you want to use!
0
piaakitAuthor Commented:
Yes this vm is acting as router, and I have disabled the firewalld and stop the firewalld already, and enable and start the iptables, just no idea why everytime the Linux reboot, it can not share the internet connection in lan pc
0
gheistCommented:
For price of RHEL7 you can buy car trunk full of home routers capable of saving configuration as you set it.
0
matrix8086Commented:
Did you tried iptables-save after you setup iptables? After restart, if you type iptables-restore conf_file, internet sharing connection works?
0
arnoldCommented:
To manage the function as a router, your best bet is to create chains.
You would need to place the chains on the incoming and PREROUTING and possibly DNAt to deal with allowing established traffic through the WAN interface into the NAT on the filter side or other external port forwarding rules.

You then will have a LAN_side Chain from the INPUT POSTROUTING nad or passible SNAT

You might want to consider looking at fwbuilder.org

It is a GUI tool that could help you manage your IPtable configuration to achieve the routing
Incoming traffic through the ens192 interface established, state or specific port destination.

etc.

Routing rules INPUT only one part of the path, you would then need to add the rule to the forward/prerouting/dnat depending on what it is you want the packet to get to.

ens224

the chain will apply to a specific interface using the -i ......
0
piaakitAuthor Commented:
Thanks all of your reply, will try them out tonight, thanks !
0
piaakitAuthor Commented:
it works after check the option button below, thanks all of your answers !
C--Users-piaakit-Desktop-expert-exchange
0
piaakitAuthor Commented:
I have another issue, I have added a storage from VMware to the Linux 7 vm, and the folder call "storage" and already mounted to below path   /storage , and want to create a samba server in path "/storage/FTP"  see bottom screenshot, and it didn't work unless I create the folder in "/root"  ,   any idea ?

samba

C--Users-piaakit-Desktop-expert-exchange
0
piaakitAuthor Commented:
According to the guide I found from internet. it said it needs to create the directory from /root,  can I create the directory in /root/folder ?

3
0
arnoldCommented:
Usually, /root would not be a good location for this as /root is the administrative root user's folder with highly restrictive rights.


The root referenced in the link refers to the root

What repo, I think you might be mixing questions.  This one deals with configuring your rhel 7 as a router.
Please confirm.
0
piaakitAuthor Commented:
the problem has been resolved for the reel 7 as a router, now i have a problem with the samba, i can not configure the samba is below path /root/storage/FTP , i could only configure the samba as /root ,
0
arnoldCommented:
You should not be using /root as the basis of any share as that is the root's home directory.
/export and other paths are more suitable for that.  The issue is likely the permissions as well as selinux settings.
0
piaakitAuthor Commented:
my mounted storage is now located in /storage/FTP , does it looks correct ?


samba
0
piaakitAuthor Commented:
if I mounted the other folder such as "/media" it works, only the additional storage I mounted not work for samba,
0
piaakitAuthor Commented:
1

when I mounted the additional storage as "/storage/FTP" its doesn't work, but I used to mount like this in RHEL 6, its working fine !

2
0
arnoldCommented:
The issue is that you likely have selinux enabled, certain paths are defined/authorized for certain things, while newly created mount points directories do not.

look at /var/log/audit/audit.log to see if you have a deny event on access.

At the top of the smb.conf file in /etc/samba/smb.conf it includes info on what permissions are needed
chcon -t samba_share_t /storage

more /etc/sysconfig/selinux
I suspect it is set to targeted.
ls /etc/selinux/targeted/contexts/files/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
piaakitAuthor Commented:
type=CRED_REFR msg=audit(1431446829.737:129449): pid=28864 uid=0 auid=0 ses=607 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.102 addr=192.168.1.102 terminal=ssh res=success'



[root@localhost ~]# more /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are pro
tected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted




[root@localhost ~]# ls /etc/selinux/targeted/contexts/files/
file_contexts           file_contexts.homedirs.bin  file_contexts.subs
file_contexts.bin       file_contexts.local         file_contexts.subs_dist
file_contexts.homedirs  file_contexts.local.bin     media
0
piaakitAuthor Commented:
shall I disable SELinux ?
0
piaakitAuthor Commented:
it works perfectly after disabled the SELinux !!
0
arnoldCommented:
You should not. SElinux is there to shield you/your system from certain issues.

There is a method to the madness where certain things need to be to work in a certain way or you have to take steps to adjust.

Going the route you have, you might as times progresses keep running into similar situation where you place/setup NFS/samba shares, or place other documents/services in paths where they do not belong. While when you are the sole controller of the system, you can make adjustments, you might run into a situation where you can not make the modifications as you have done at which point .......

It is a bad practice of using /root or any other user location as the basis for any share outside the Samba/Windows/AD type of an environment.
In various config files including smb.conf there is a reference to commands that should be run to authorize access for Selinux enabled systems.

Certain things should not be placed in certain location and adjusting the SELinux restrictions reduces the protection this feature offers.
0
piaakitAuthor Commented:
thanks for your advise, I have another issue when installing proftpd proftpd-1.3.5, I cant find the proftpd.conf any idea ?


proftpd:[root@localhost proftpd-1.3.5]# whereis proftpd
proftpd:[root@localhost proftpd-1.3.5]#



I,m following this, but I cant find
ftp
0
arnoldCommented:
You should open a separate question for a separate issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.