Link to home
Start Free TrialLog in
Avatar of keith li
keith liFlag for Hong Kong

asked on

How do i setup NAT iptables in Linux rhel 7

Hi All

      i,m new in linux currently setting up a linux rhel 7 with 2 NIC, one to WAN, another one to LAN, typed with below command, and tested the client computer to can not connected to internet, statis ip has assigned to the client computer with gateway pointing to the linux server with public ip for dns, any idea what goes wrong ?

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -s -o ens192 -j MASQUERADE  

Avatar of keith li
keith li
Flag of Hong Kong image


vim /etc/sysconfig/iptables  , can not see the entry i add for "iptables -A POSTROUTING -t nat -s -o ens192 -j MASQUERADE  "  , any idea?

User generated image
Avatar of matrix8086
The ideea is as follows:

What you type in the shell (command line) the change is not permanent. to do it permanent you should write the comands in the file configurations and reload the service.

For ex.: you shoul add

iptables -A POSTROUTING -t nat -s -o ens192 -j MASQUERADE
iptables -A FORWARD -i ens_lan -j ACCEPT

before the first REJECT in /etc/sysconfig/iptables and then restart iptables service: systemctl restart iptables

Also, you should disable firewalld:

systemctl stop firewalld
systemctl disable firewalld

and then enable iptables

systemctl enable iptables
systemctl start iptables

check this tutorial:
The above works, but when I reboot the Linux, the client computer can not access to Internet, any idea ?
when i start the iptables i received below error

User generated image
Usually the /etc/sysconfig/iptables is not updated until /etc/init.d/iptables save is run.

You will be shown usage of the service.

-A adds the line at the end if you gave a explicit deny when you start, the new one will be added below it and will never be evaluated.

Iptables -L --line-numbers will include line numbers for each chain which you can use with the -I option

iptables -t filter -I INPUT 4 ...

The above will add the specified rule as line number four of the INPUT chain.

Some can be simplified through the use of your own defined chains that are then added into the applicable predefined chains in the manner you wish them applied.  The benefit is that you add a rule to your chain and thus implement it as you need it which often needs to have rules added to at least two chains input/forward ....
sorry i'm new in linux, so that i need to put   " /etc/init.d/iptables "  to save the config ?  how about the command for " iptables-save > /etc/sysconfig/iptables" , i have typed that, and doesnt work after the reboot, are they work differently ?
I tend to use the command I outlined.

Pages you use iptable -A you make changes in real time to the running firewall configuration to comit the changes you would run /etc/init.d/iptables save which will update the /etc/sysconfig/iptables to include the changes you made.

The reason you should not be modifying iptables directly is that an error there will not manifest nor can be cleared by a reboot.
sorry I can not find iptables in below path, do you mind to tell me in simple way what command I need to type ? sorry I,m really new in Linux, any help would be appreciate !
This is what my iptables look like from /etc/sysconfig/iptables

User generated image
The two lines:
-A FORWARD -i ens224
-A FORWARD -i ens192

do you actually have these interfaces (ifconfig -a)

try the following,
service iptables
does it give you a list of arguments start, stop, restart, reconfig, reload, save?
service iptables save will handle the save of the current rules so that they will be set on restart.

See whether you can mange firewall rules within webmin.
Also see whether you have system-config-firewall or system-config-firewall-tui
The tui runs in ASCII/ANSI terminal and does not need a graphical redirect as the system-config-firewall does.
yum search system-config
Will provide a list of tools that RHEL includes to manage different aspects of the system.
Hi arnold

                i have the 2 interfaces, and i could use "service iptables save", and in webmin I could manage the firewall,

User generated image
User generated image
User generated image
just try to reboot, my client pc can not even ping the Linux 7, I need to go back to the previous snapshot from vm in order to access back to internet,
Not sure what happened in between.

At this point, you have the way to save the changes you make.
Now this system is being used to provide internet connection to the LAN?
I.e. this linux VM will function as a router?
I think getting sidetracked here.
firewall-cmd --query-masquerade
firewall-cmd --zone=eth4 --add-masquerade --permanent
Did you disabled the firewalld? You cannot have firewalld and iptables. IN RHEL7 the iptables is disabled by default and the default firewall is firewalld. You shoud decide which one you want to use!
Yes this vm is acting as router, and I have disabled the firewalld and stop the firewalld already, and enable and start the iptables, just no idea why everytime the Linux reboot, it can not share the internet connection in lan pc
For price of RHEL7 you can buy car trunk full of home routers capable of saving configuration as you set it.
Did you tried iptables-save after you setup iptables? After restart, if you type iptables-restore conf_file, internet sharing connection works?
To manage the function as a router, your best bet is to create chains.
You would need to place the chains on the incoming and PREROUTING and possibly DNAt to deal with allowing established traffic through the WAN interface into the NAT on the filter side or other external port forwarding rules.

You then will have a LAN_side Chain from the INPUT POSTROUTING nad or passible SNAT

You might want to consider looking at

It is a GUI tool that could help you manage your IPtable configuration to achieve the routing
Incoming traffic through the ens192 interface established, state or specific port destination.


Routing rules INPUT only one part of the path, you would then need to add the rule to the forward/prerouting/dnat depending on what it is you want the packet to get to.


the chain will apply to a specific interface using the -i ......
Thanks all of your reply, will try them out tonight, thanks !
it works after check the option button below, thanks all of your answers !
I have another issue, I have added a storage from VMware to the Linux 7 vm, and the folder call "storage" and already mounted to below path   /storage , and want to create a samba server in path "/storage/FTP"  see bottom screenshot, and it didn't work unless I create the folder in "/root"  ,   any idea ?

User generated image

User generated image
According to the guide I found from internet. it said it needs to create the directory from /root,  can I create the directory in /root/folder ?

User generated image
Usually, /root would not be a good location for this as /root is the administrative root user's folder with highly restrictive rights.

The root referenced in the link refers to the root

What repo, I think you might be mixing questions.  This one deals with configuring your rhel 7 as a router.
Please confirm.
the problem has been resolved for the reel 7 as a router, now i have a problem with the samba, i can not configure the samba is below path /root/storage/FTP , i could only configure the samba as /root ,
You should not be using /root as the basis of any share as that is the root's home directory.
/export and other paths are more suitable for that.  The issue is likely the permissions as well as selinux settings.
my mounted storage is now located in /storage/FTP , does it looks correct ?

User generated image
if I mounted the other folder such as "/media" it works, only the additional storage I mounted not work for samba,
User generated image

when I mounted the additional storage as "/storage/FTP" its doesn't work, but I used to mount like this in RHEL 6, its working fine !

User generated image
Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
type=CRED_REFR msg=audit(1431446829.737:129449): pid=28864 uid=0 auid=0 ses=607 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname= addr= terminal=ssh res=success'

[root@localhost ~]# more /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are pro
#     mls - Multi Level Security protection.

[root@localhost ~]# ls /etc/selinux/targeted/contexts/files/
file_contexts           file_contexts.homedirs.bin  file_contexts.subs
file_contexts.bin       file_contexts.local         file_contexts.subs_dist
file_contexts.homedirs  file_contexts.local.bin     media
shall I disable SELinux ?
it works perfectly after disabled the SELinux !!
You should not. SElinux is there to shield you/your system from certain issues.

There is a method to the madness where certain things need to be to work in a certain way or you have to take steps to adjust.

Going the route you have, you might as times progresses keep running into similar situation where you place/setup NFS/samba shares, or place other documents/services in paths where they do not belong. While when you are the sole controller of the system, you can make adjustments, you might run into a situation where you can not make the modifications as you have done at which point .......

It is a bad practice of using /root or any other user location as the basis for any share outside the Samba/Windows/AD type of an environment.
In various config files including smb.conf there is a reference to commands that should be run to authorize access for Selinux enabled systems.

Certain things should not be placed in certain location and adjusting the SELinux restrictions reduces the protection this feature offers.
thanks for your advise, I have another issue when installing proftpd proftpd-1.3.5, I cant find the proftpd.conf any idea ?

proftpd:[root@localhost proftpd-1.3.5]# whereis proftpd
proftpd:[root@localhost proftpd-1.3.5]#

I,m following this, but I cant find
User generated image
You should open a separate question for a separate issue.