RHEL7 Fedora as Network Router and Gateway

Hardware Requirements:

  • 2 Ethernet Network Cards: 1 for WAN; 1 for LAN
  • Optional Wireless Router for wifi

Software Requirements:

  • NIC Configuration Files
  • sysctl Kernel Parameters
  • Firewall Configuration
  • dhcpd Server

For the sake of clarity the two network cards will be called ifcfg-wan (WAN) and ifcfg-lan (LAN); make the necessary changes for your environment accordingly, e.g. eth0, ens1, enp0s77, etc., as I will not outline how to make naming changes for hardware devices.  The configuration files for the relevant network adapters/cards are located in /etc/sysconfig/network-scripts/ifcfg-wan and /etc/sysconfig/network-scripts/ifcfg-lan files.

First, make sure all the interfaces are "down" and the ethernet cables are unplugged from both adapters.  Assuming you're not using NetworkManager this can be accomplished on the commandline with "ifdown wan" and/or "ifdown lan".

Next, check the system's network activity for open ports and close them all for now:

# netstat -untap

If all the interfaces are down there shouldn't be much activity anyway. 

NIC Configuration

Create or change the configuration files for the adapters as indicated by the following example, ensuring that you change the pertinent MAC and NETWORK addresses to suit your own environment:

##/etc/sysconfig/network-scripts/ifcfg-lan
DEVICE=lan
HWADDR=11:22:33:44:55:66
BOOTPROTO=none
ONBOOT=yes
NETMASK=255.255.255.0
IPADDR=192.168.1.3
NETWORK=192.168.1.0
NM_CONTROLLED=no

##/etc/sysconfig/network-scripts/ifcfg-wan
DEVICE=wan
HWADDR=11:22:33:44:55:66
BOOTPROTO=dhcp
ONBOOT=yes
NM_CONTROLLED=no
Next, make sure that the kernel parameters allow the following, which can be checked with the "sysctl" tool, e.g.
"# sysctl -a |grep forward":
net.ipv4.ip_forward=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_source_route=0
To ensure that these parameters are to our liking, append the 4 lines above to the file "/etc/sysctl.conf".  To make the changes active in place, execute :
# sysctl -P /etc/sysctl.conf
Plug in the cable from your Modem/Gateway into the WAN-side NIC and execute
# ifup wan
Once the NIC receives an address from the DHCP server from your ISP test it out
# ping www.google.com

Firewall Configuration with firewalld

Let's separate the interfaces into different firewall zones:

# firewall-cmd --zone=public --add-interface=wan --permanent
# firewall-cmd --zone=internal --add-interface=lan --permanent
Add masquerading to the WAN interface zone
# firewall-cmd --zone=public --add-masquerade --permanent
Make sure no other services are listed as available and/or ports open in the WAN zone
# firewall-cmd --zone=public --list-services
# firewall-cmd --zone=public --list-ports
To remove a service, e.g. SSH, do
# firewall-cmd --zone=public --remove-service=ssh --permanent
Let's add the DHCP service to our LAN interface's firewall zone
# firewall-cmd --zone=internal --add-service=dhcp --permanent
Reload firewall rules to take effect
# firewall-cmd --reload

DHCP Server

Create or update the configuration file for the DHCP server that will serve dynamic IPs to our LAN

# vim /etc/dhcp/dhcpd.conf

default-lease-time 1400;
authoritative;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;

subnet 192.168.1.0 255.255.255.0 {
    range 192.168.1.100 192.168.1.155;
}

host yourhostnamehere {
    option host-name "yourhostnamehere";
    hardware ethernet 11:22:33:44:55:66;
    fixed-address 192.168.1.3;
}
The above configuration tells the DHCP server to serve LAN clients with dynamic IPs in the range from 100 to 155. It also sets up a FIXED address, which MUST be outside the DHCP range, as a static IP for our server. Now, copy the file from /lib/systemd/system/dhcp.service to /etc/systemd/system/dhcp.service and append the name of your LAN interface to the ExecStart line
# vim /etc/systemd/system/dhcpd.service

...
ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid lan
...
Then enable the service, plug in the LAN cable if you haven't done so already, and restart the service:
# systemctl enable dhcpd.service
# systemctl restart dhcpd.service

You should now have a working Internet-facing Gateway/router running on your RHEL7/Fedora18+ system.  As for the wifi side of your network, plugging in the cable from your LAN interface into the WAN port of a wifi router will allow the wifi router to handle that aspect of your network.

Popular posts from this blog

Password Policy in RHEL 7

Centos 7 pulseaudio

Password Aging and Authentication in RHEL7