Route, NAT, and Transparent Proxy, with CentOS Linux – Part 2

CentOS Routing and Proxy Cont.

In the previous article, I covered installing CentOS server and converting it to a router, address translator, and transparent proxy. I also covered installing a DHCP server to serve IP addresses to the interior local network. The entire process was recorded in a series of video tutorials (see previous article) and posted to YouTube.

Now that we have configured the iptables forwarding rules, manually configured our interfaces with IP addresses, as well as the default gateway and our DNS nameservers we need to save our configurations. We also need to cover installing BIND and having our CentOS server function as a DNS server as well.


Saving your iptables configuration

You can use terminal line commands to make changes to iptables which will instantly effect the linux firewall. This is similar to the difference between a Cisco router’s startup-config file and its running-config in RAM. Changes to the running-config take effect immediately but are not permanent unless saved to the startup-config. This is a similar scenario with iptables. If you have made changes to iptables using iptables terminal commands, it will directly effect the Linux firewall, but the changes will not be permanent unless they are saved to the iptables configuration file.

There are different approaches to making changes to iptables: the approach we have been using so far is to make the changes to the iptables directly, using terminal commands; another approach is to save a test iptables configuration file and then load it, to test it out. Since we have been using the first approach we need to save our configuration to a file and then replace the default iptables configuration file. Before you replace the default file it is a good idea to create a backup. This command will take the current running iptables configuration which we have manipulated and altered, and save it to a .conf text file. You can save it to the root home folder.
iptables-save > iptables.conf

Now cat your saved iptables.conf file to look it over.
cat iptables.conf

The first command listed below makes a backup of the original default iptables configuration file, and the second command replaces the iptables configuration file with the current configuration, that was just saved as iptables.conf. Now, if the computer needs to be restarted the new configuration will be maintained.
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
mv iptables.conf /etc/sysconfig/iptables

{loadposition adposition6}You may decide that it is smarter and safer to make changes to the Linux iptables firewall indirectly, by editing a test iptables.conf file before testing it out on the actively running iptables firewall. In this way, you make all your changes to the iptables.conf file and then load it to memory, instead of using iptables terminal commands to experiment with your running configuration and possibly compromise your security or disrupt your network users. With the following commands you save the current iptables to an iptables.conf text file, then edit it with a text editor, then restore it to a running state in active memory. The iptables-restore command is a beneficial command because it loads the edited config file to the running iptables without disrupting the service and potentially dropping the running network host connections.
iptables-save > iptables.conf
nano iptables.conf (edit the iptables.conf configuration file)
iptables-restore < iptables.conf  (load the edited iptables.conf file to the running iptables) 
mv iptables.conf /etc/sysconfig/iptables
(replace the iptables configuration file with the edited version)

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP – Part 7
Saving manual network interface configurations

A regular desktop installation of CentOS Server comes with the Network Manager program. Network Manager is a graphical management tool used to manage and configure network interfaces in an easy way. It was personally recommended to me to not use the Network Manager, but instead manually configure my network interfaces, meaning Ethernet ports with IP addressing, subnet masks, default gateway address, and DNS servers. Like with iptables, you can manually configure your network interfaces using terminal line commands, but if you restart the server your configurations will not be saved. In order to configure your network interfaces in a manner that will persist, you need to configure the network interface configuration files or scripts.
ls /etc/sysconfig/network-scripts/

You should see configuration files named ifcfg-eth0, ifcfg-lo, or some other variant of ifcfg-<name> where <name> refers to the network interface name. To inspect the interface configuration you can output the text of the config file using cat
cat ls /etc/sysconfig/network-scripts/ifcfg-eth0

You will see some output like the following:
DEVICE=”eth0″
NM_CONTROLLED=”yes”
ONBOOT=”no”
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no

This information tells us that Network Manager is managing the interface, the interface is not activated by default when the system boots up, and that the system is using DHCP to acquire an IP address. In order to manually configure the network interface you will need to change these settings and add some additional settings as well. Before you change the settings of the interfaces it is a good idea to create backup configuration files.
cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0.bak
cp /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth1.bak

Now you can configure your interfaces by altering the configuration files in a text editor like Vim or Nano
nano /etc/sysconfig/network-scripts/ifcfg-eth0

{loadposition adposition7}Now alter and add the necessary settings and IP addressing for your outside interface. In my eth0 example below, I am on the 192.168.2.0/24 network using a static IP address of 192.168.2.98, a twenty four bit subnet mask, and a gateway located at 192.168.2.1. Changes are displayed in red:
DEVICE=”eth0″
NM_CONTROLLED=“no”
ONBOOT=“yes”
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPADDR=192.168.2.98  <whatever IP address your outside interface needs to be set at>
NETMASK=255.255.255.0
GATEWAY=192.168.2.1

IPV4_FAILURE_FATAL=yes
IPV6INIT=no
<addtional entries not listed>

Save the interface configuration file and exit.

On the inside network interface (in my case eth1), I used the following settings:
DEVICE=”eth1″
HWADDR=”00:0C:29:12:AE:75″
NM_CONTROLLED=“no”
ONBOOT=“yes”
IPADDR=192.168.111.1  //the IP address for your inside interface. I chose “.1” since I am the gateway for the inside network
NETMASK=255.255.255.0

Save the interface configuration file and exit. Now you can issue the following commands to verify your interface configurations and your default route
ifconfig
route

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP – Part 8


Manual Configuration of Network Interfaces for Trunking and VLANs

At the time of writing this article, the network manager in CentOS does not allow you to configure a network interface with subinterfaces, VLANs, and trunking. In order to configure a single network interface to function as multiple subinterfaces which allow VLANS over a trunked link you need to manually configure your network interface configuration file.

In the following scenario suppose you have one network interface eth0 and you want your router to function as a transparent proxy and a router separating an interior network from an exterior network. In the image below you can see how this would logically be arranged in the logical topology, you have the 192.168.111.0/24 network on the interior LAN side, and the 192.168.11.0/24 network on the exterior facing WAN side, of course 192.168.11.0/24 is also in a private network address range, but it is on the side of the CentOS server that is closest to the internet. However, in reality you happen to be physically limited by having only one network interface (eth0) and will therefore need to convert the one interface into multiple subinterfaces with VLANs for a trunked link (Physical Topology).

 

Looking at the physical topology in the diagram above, the CentOS server has transformed a single network interface eth0 into eth0.11 and eth0.111 for VLAN11 and VLAN111 respectively. From there the server is connected to the switch which has been configured as a trunk to allow VLAN11 and VLAN111.

Here are the commands and configuration settings needed to configure the CentOS server to fit with the scenario depicted in the diagram above. The first step is to back up your default or current network interface configuration file. THen copy the configuration file and rename it for both of the subinterface VLANs:
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.bak
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.11
cp /etc/sysconfig/network-scripts/eth0 /etc/sysconfig/network-scripts/eth0.111

Now you will need to edit all three of your configuration files ifcfg-eth0, ifcfg-eth0.11 and ifcfg-eth0.111 in turn with a text editor like vi, vim, or nano. In configuring ifcfg-eth0 you will only need to make sure that the interface is activated on startup, and that the interface is not managed by the network manager:
vim /etc/sysconfig/network-scripts/ifcfg-eth0

  DEVICE=”eth0″
NM_CONTROLLED=“no”
ONBOOT=“yes”
TYPE=Ethernet

For the inside interface, the LAN side of the router (in the diagram VLAN111 eth0.111), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting. The default gateway and DNS settings will be configured on the outside facing interface.
vim /etc/sysconfig/network-scripts/ifcfg-eth0.111

DEVICE=”eth0.111″
HWADDR=”00:0C:29:12:AE:75″
NM_CONTROLLED=“no”
ONBOOT=“yes”
IPADDR=192.168.111.1  //the IP address for your inside interface. I chose “.1” since I am the gateway for the inside network
NETMASK=255.255.255.0
VLAN=”yes”

For the outside facing interface, the WAN side of the router (in the diagram VLAN11 eth0.11), you will mainly need to change the interface name, the ipaddress, netmask, add a VLAN setting and add the default gateway and DNS settings.
vim /etc/sysconfig/network-scripts/ifcfg-eth0.11

 DEVICE=”eth0.11″
NM_CONTROLLED=”no”
ONBOOT=”yes”
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPADDR=192.168.11.100  <whatever IP address your outside interface needs to be set at>
NETMASK=255.255.255.0
GATEWAY=192.168.11.1
DNS=127.0.0.1  <if your CentOS server will not be running DNS services, use your normal DNS server address instead>

Note: For a demonstration of this tutorial, see the video below: Use CentOS Linux for Routing, Proxy, NAT, DHCP – Part 9



Video Tutorials

 In part 7, I demonstrate how to save your iptables configuration and make it permanent

In part 8, I manually configure and save the Ethernet network interfaces, IP addresses and gateway address

In part 9, I manually configure a single network interface to be multiple subinterfaces in order to support VLANs and trunking 

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *