CentOS Outbound NAT (PART 13)

Lab 13: Outbound NAT

References: http://www.howtoforge.com/nat_iptables

NAT is Network Address Translation. It allows internal LAN computers to access the Internet. When a LAN computer accesses the internet, the 10.0.0.x is translated by the firewall to 216.123.169.85.

1/ Configurations:

You can perform GUI setup by running the setup command. (This is for your references only, you do not need to do this). After entering the setup command, choose:

Firewall
Turn on FW
Customize
Trust both eth0 and eth1
Remove all packages
Click OK. 
Quit.

To check iptables rules, type the command:

iptables –L

2/ Turn on the NAT
There are some pre-requisites that need to be performed before anything works.
Verify that you have two network cards by entering the following command:

ls /etc/sysconfig/network-scripts/ifcfg-eth* | wc –l

Make sure eth0 has a Public IP address

cat /etc/sysconfig/network-scripts/ifcfg-eth0

The result should be:

DEVICE=eth0
BOOTPROTO=none
BROADCAST=xx.xx.xx.255        # Optional Entry
HWADDR=00:50:BA:88:72:D4        # Optional Entry
IPADDR=216.123.169.85
NETMASK=255.255.255.0        # Provided by the ISP
NETWORK=216.123.169.0       # Optional
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=xx.xx.xx.1            # Provided by the ISP

3/ Check eth1 for LAN

cat /etc/sysconfig/network-scripts/ifcfg-eth1

The result should be:

BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05       # Optional 
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.255.0            # Specify based on your requirement
BROADCAST=""
IPADDR=10.0.0.1                # Gateway of the LAN
NETWORK=10.0.0.0            # Optional
USERCTL=no
ONBOOT=yes

4/ Check Host configurations

cat /etc/hosts

Result should be:

127.0.0.1       nat localhost.localdomain   localhost

5/ Check gateway configurations

cat /etc/sysconfig/network

Result should be:

NETWORKING=yes
HOSTNAME=nat
GATEWAY=216123.169.1    # Internet Gateway, provided by the ISP

6/ Check DNS Config

cat /etc/resolv.conf

The result should be:

nameserver 10.0.0.2      # Primary DNS Server
nameserver 8.8.8.8        # Secondary DNS Server

7/ NAT configuration with IP Tables

# Delete and flush. Default table is "filter". 
#Others like "nat" must be explicitly stated.
iptables --flush            

 # Flush all the rules in filter and nat tables
iptables --table nat --flush
iptables --delete-chain

 # Delete all chains that are not in default filter and nat table
iptables --table nat --delete-chain

 # Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

 # Enables packet forwarding by kernel 
echo 1 > /proc/sys/net/ipv4/ip_forward

 #Apply the configuration
service iptables restart

 
8/ Test on Windows Client
On a Windows client, type

ipconfig /all

Check the IP address (in this case it is 10.0.0.111)
Check that DNS2 is 8.8.8.8
Default Gateway is 10.0.0.1

9/ Change the client to clear proxy.
Try to access a web page cnn.com, the access should be OK.
Ping google.com, pinging should be OK.