CentOS iptables NAT, client cannot connect to WAN from LAN

Question

I have the following configuration:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:e0:4c:68:31:a8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global enp2s0
       valid_lft forever preferred_lft forever
    inet6 fe80::2e0:4cff:fe68:31a8/64 scope link 
       valid_lft forever preferred_lft forever
3: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:e0:4c:68:31:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.130/24 brd 192.168.1.255 scope global noprefixroute dynamic enp3s0
       valid_lft 85920sec preferred_lft 85920sec
    inet6 fe80::b8df:4b68:a402:677c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

enp3s0 is WAN
enp2s0 is a local network connected to a client pc.

I want to make it so the client can access the internet. At the moment the client connected to enp2s0 can ping the server and visa versa.

I have run the command

echo 1 > /proc/sys/net/ipv4/ip_forward

and ensured it has been set and have been following the instructions here: https://www.revsys.com/writings/quicktips/nat.html

sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
sudo iptables -A FORWARD -i enp3s0 -o enp2s0 -m state  --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i enp2s0 -o enp3s0 -j ACCEPT

I have reconnected the client (not sure this is necessary) and tried to connect beyond the server:

$ ping google.com
ping: google.com: Temporary failure in name resolution

$ ping 8.8.8.8
connect: Network is unreachable

Other tutorials suggest only running the first line sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE. I tried connecting before running the second two steps and it was no different.

Is there something else I need to do to create the NAT so that the client can access the internet?

edit: The default route is also correct:

$ ip route
default via 192.168.1.1 dev enp3s0 proto dhcp metric 100 
169.254.0.0/16 dev enp2s0 scope link metric 1002 
192.168.1.0/24 dev enp3s0 proto kernel scope link src 192.168.1.130 metric 100 
192.168.3.0/24 dev enp2s0 proto kernel scope link src 192.168.3.1

The output of iptables -L is:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
INPUT_direct  all  --  anywhere             anywhere            
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere            
INPUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
FORWARD_direct  all  --  anywhere             anywhere            
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_IN_ZONES  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere            
FORWARD_OUT_ZONES  all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
OUTPUT_direct  all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_public  all  --  anywhere             anywhere            [goto] 
FWDI_public  all  --  anywhere             anywhere            [goto] 
FWDI_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_public  all  --  anywhere             anywhere            [goto] 
FWDO_public  all  --  anywhere             anywhere            [goto] 
FWDO_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_public (3 references)
target     prot opt source               destination         
FWDI_public_log  all  --  anywhere             anywhere            
FWDI_public_deny  all  --  anywhere             anywhere            
FWDI_public_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (3 references)
target     prot opt source               destination         
FWDO_public_log  all  --  anywhere             anywhere            
FWDO_public_deny  all  --  anywhere             anywhere            
FWDO_public_allow  all  --  anywhere             anywhere            

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_public  all  --  anywhere             anywhere            [goto] 
IN_public  all  --  anywhere             anywhere            [goto] 
IN_public  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         

Chain IN_public (3 references)
target     prot opt source               destination         
IN_public_log  all  --  anywhere             anywhere            
IN_public_deny  all  --  anywhere             anywhere            
IN_public_allow  all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

Can you please add the routing table of the client, `ip route`? The above looks like the routing table of the gateway. — Thomas, Nov 11 '18 at 09:34

Michael Hampton · Accepted Answer · 2018-12-04T05:48:19.343

2

You need to ignore and undo the changes you made based on obsolete tutorials.

You're using CentOS 7 with firewalld, so all you need to do is to tell firewalld to enable masquerading on the zone corresponding to your external interface.

firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 masquerade' [--permanent]

(See why I do not recommend using --add-masquerade)

You also need to assign the internal interface to a different zone other than public. Edit /etc/sysconfig/network-scripts/ifcfg-enp2s0 and set ZONE=internal or some other zone.

edited Dec 04 '18 at 05:48

answered Nov 10 '18 at 18:38

Michael Hampton

237,123
42
477
940

Thanks, I've tried that: Added ZONE=internal, ran firewall-cmd as above. I tried reloading network.service, flushing iptables and it didn't have any effect. I rebooted to clear iptables and force everything to reload, re-ran firewall-cmd as above, ran firewall-cmd --reload and still have the same issue. At least I know to look for a more up to date tutorial. – Tom B Nov 10 '18 at 20:13
It turned out that I also needed firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i enp2s0 -j ACCEPT – Tom B Nov 11 '18 at 10:39

CentOS iptables NAT, client cannot connect to WAN from LAN

1 Answers1

Linked