[NAT translation] Preparation for managing terminals with private IP under Linux server

I tried NAT conversion

As an exercise (task), connect one of the two PCs directly to the other, and connect the connected one to the Internet so that one is placed in a private space and the one that is not directly connected to the Internet is connected to the Internet. I tried to challenge something called "Seyo". The reason will be described later, but due to the number of LAN ports, Windows PCs are not directly connected to the Internet, and Linux PCs are directly connected to the Internet.


Give windowsPC a class C (192.168.x.x/24) IP address Assign a class C IP address to one of the Linux PCs and a class B (172.16.x.x / 16) IP address to the other A gateway (router) that connects directly to the Internet is given a class B IP address. Connect all of these to one with a LAN cable The port number for communication (such as port 80) is not considered now (will be considered later).

Assumed environment

What to prepare Details
WindowsPC The version is 10. Since there is only one LAN port, this time it will be a child
Linux server The version is CentOS 8. I use a machine with three LAN ports, but this time I use two of the three. This is the parent(The role of the gateway when viewed from the child)。
enp7s0 Electricity to the Internet side of the server's LAN port(packet)Interface name of the one that flows
enp6s0 Electricity to the Windows side of the server LAN port(packet)Interface name of the one that flows
Fixed IP address Assign an IP address that meets the prerequisites to each LAN port
Other equipment Equipment required for general network connections such as LAN cables, hubs, and routers

First, try it on a physical machine.

There is a lot of information about NAT translation, but all of them are based on virtual machines. Because normally you don't do this on a physical machine. (Probably)

However, by connecting with a physical machine, it may be relatively easy to do the same thing with a virtual machine. I thought, so I would like to record it.

Where to do NAT translation

In CentOS (I don't know anything else), the firewall manages NAT translation.

Before version 6, it seems that the rules were set using iptables. This article was very helpful.

Firewall made with Linux [NAT settings] 1/2 Firewall made with Linux [NAT settings] 2/2

However, in CentOS 7 or later, it seems that rules are managed by a mechanism called firewalld instead of iptables. There was no such file as "iptables", which is reasonably used extensively in the article.

Perform NAT translation using firewalld

With reference to this article, I wrote the settings for IP masquerade.

IP masquerade settings on CentOS 7.x Firewalld: IP Masquerade Settings

First, in the default state, zone is only public (it shouldn't be!), So set enp7s0 to external (outside), enp6s0 to internal (inside), and so on. Let's use NetworkManager for this.

# nmcli connection modify enp7s0(Interface name) connection.zone external
# nmcli connection modify enp6s0(Interface name) connection.zone internal

Next, change the firewalld settings while being aware of each zone. When changing the firewalld settings, basically su should be the root user. (Some operations cannot be done with sudo)

# firewall-cmd --zone=external --add-masquerade --permanent

This will give you the IP masquerade required for NAT translation. (In the case of iptables, this is all that I had to add various settings to the NAT table. The power of science is amazing!)

By the way, in the case of CentOS8, it seems that IP masquerade is on by default, so you may want to check it before typing the command.

# firewall-cmd --list-all --permanent --zone=external

If it says masquerade: yes, it's OK.

Next, I will add a few rules. (It doesn't seem to be required at this time.)

# firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o enp7s0 -j MASQUERADE
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp6s0 -o enp7s0 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp7s0 -o enp6s0 -m state --state RELATED,ESTABLISHED -j ACCEPT

The first is the POSTROUTING setting. NAT translation is a movement to rewrite the IP address of the header information, POSTROUTING is a rule setting when manipulating the source information. IP masquerade when going out of the server to the internet.

The second rule is to allow packets coming from the enp6s0 side (the side where the Windouws PC is located), which is the network space, to flow to enp7s0.

Finally, we added a rule that allows reverse orientation, which allows LAN ports on Linux PCs to communicate with each other in different IP classes.

Once the NAT translation rules are set, match the IP address well.

After that, confirm the IP address so that you do not mistake the segment between the private spaces and the space with the parent or gateway, and complete.

from now on

In the future, we will use virtual machines to create a design in which multiple units are hung under the server instead of one. I would like to write about what will change and how it will change if I have the opportunity.

Recommended Posts

[NAT translation] Preparation for managing terminals with private IP under Linux server