CentOS Router Configuration for a Web Server
I wanted to follow up a previous post, where I described the process of configuring a CentOS router for the intention of creating a separate, internal LAN. There we simply deployed a router to separate an external WAN from our LAN and configured the router to pass along all traffic between the two interfaces.
This time I wanted to deploy a router for the purpose of serving content from an internal web server, to an external LAN or WAN.
While this is something that I used recently for a local hackathon, I believe it has greater “real world” application, and can be modified only slightly to accommodate the deployment of other services or applications.
For this demonstration we’ll be using external network 172.18.0.0/16 and internal network 192.168.6.0/24. The router’s external network adapter will occupy address 172.18.13.6 and the internal will occupy address 192.168.6.1.
Please feel free to adjust you network addresses as you see fit, and as required by your network topology.
CentOS Router Configuration
We’ll be using a two network adapter setup for our CentOS router; one for the internal network, and the other for the external. Network Address Translation (NAT) will be configured on the router, as well, to handle incoming traffic from the external adapter to the internal LAN.
Step One – Configuring the External Adapter (eth0)
Network interface configuration files for CentOS can edited within:
The external adapter (eth0) configuration file should look something like this. Be sure to specify the BOOTPROTO, ONBOOT, IPADDR, NETMASK, & ZONE.
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=eth0 UUID=2e4eb124-bfe2-45de-aca8-9ae3f5fa487b DEVICE=eth0 ONBOOT=yes IPADDR=172.18.13.6 NETMASK=255.255.0.0 ZONE=external DNS1=22.214.171.124
Step Two – Configuring the Internal Adapter (eth1)
Ensure the configuration file for the internal adapter looks similar to below. Again, edit all the relevant fields as was done above, and be sure to include a gateway that matches the address of the external adapter.
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=eth1 UUID=b3804ef1-084f-45f3-b352-4bf83ed171ba DEVICE=eth1 ONBOOT=yes IPADDR=192.168.1.6 NETMASK=255.255.255.0 GATEWAY=<IP address of NAT adapter / eth0> ZONE=internal
Step Three – Restart Network Service
sudo systemctl restart network
Step Four – Enable IPv4 Forwarding
In order for this all to work, we of course must enable IP forwarding on the CentOS machine. That can be done by executing the following line:
sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
And to activate IPv4 forwarding immediately, execute the following:
sudo sysctl -p /etc/sysctl.d/ip_forward.conf
Step Five – Firewalld Configuration
Now, we can begin shaping the Firewalld rules to enable NAT between our network adapters and forward all traffic bound for TCP port 80 & 443 to our internal web server.
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE 255.255.0.0/16 firewall-cmd --change-interface=eth0 --zone=external --permanent firewall-cmd --set-default-zone=internal --permanent firewall-cmd --complete-reload sudo systemctl restart network && systemctl restart firewalld firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.6.5 --permanent firewall-cmd --zone=external --add-forward-port=port=443:proto=tcp:toport=443:toaddr=192.168.6.5 --permanent
Step Six – Restart Network and Firewall Services
sudo systemctl restart network && sudo systemctl restart firewalld
Configuration of Internal Web Server
Simply all that is left to do is to ensure the working internal web server’s network adapter is properly configured.
Ensure the network adapter is statically configured for IP address 192.168.6.5 (or whatever your network topology requires) and ensure the gateway is configured pointing to your internal router; in this case 192.168.6.1.
The router should now be configured! To test the setup you can try to access the internal web server’s content from a machine on the external network (172.18.0.0/16, in this case).
As you can probably see, this setup can easily be modified to accommodate the deployment of additional internal services (SSH, FTP, etc.) quite simply by adding additional port-forwarding rules.