This will be part 1 in a series of configuring CentOS/Red Hat 6 as a secured firewall. Though I am a huge fan of pfSense (which can be found here pfSense), I wanted to build my own from scratch. So, the first part of this series will consist of setting up PAT (or NAT overload for the Cisco geeks) on Linux.
The first step is to configure the network cards. In this scenario we will use eth0 as the WAN connection and eth1 as the LAN connection. Refer to the diagram below
| ISP - 192.168.1.1/30 | <--- | eth0(WAN) - 192.168.1.2/30 | --- NAT Server --- | eth1(LAN) - 192.168.2.1/24 | ---> Internal Network
Edit both the ifcfg-eth0 and the ifcfg-eth1 files located in /etc/sysconfig/network-scripts/, make sure both of the network cards are set to BOOTPROTO=”static”.
The second step is to setup IP forwarding which can be done by editing the /etc/sysctl.conf file and adding
net.ipv4.ip_forward = 1
You can then either reload the server or issue the ‘sysctl -p’ command. Once that command is run, you will see the output of the command and you should see ‘net.ipv4.ip_forward = 1’ in the output. You can also verify by running ‘cat /proc/sys/net/ipv4/ip_forward’ and it will return a ‘1’. If it returns a 0 then the command did not run correctly and you need to try again.
The last step is to set up masquerade with IPTABLES. As eth0 is your outside (or WAN) connection, run
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Connect a laptop to the eth1 NIC with a crossover cable, and statically set the IP address to 192.168.2.2/24 with the default gateway of 192.168.2.1. You should now be able to ping out of the LAN to the Internet. If successful run,
service iptables save
which will save the command to the /etc/sysconfig/iptables file when either the service or the server is reloaded.