[CentOS] Masquerading (packet forwarding) on CentOS 7

Thu Feb 19 10:58:50 UTC 2015
Niki Kovacs <info at microlinux.fr>

Hi,

I just migrated my office's server from Slackware64 14.1 to CentOS 7. So 
far everything's running fine, I just have a few minor details to work out.

I removed the firewalld package and replaced it by a simple Iptables script:


--8<----------------------------------------------------
#!/bin/sh
#
# firewall-lan.sh

IPT=$(which iptables)
MOD=$(which modprobe)
SYS=$(which sysctl)
SERVICE=$(which service)

# Internet
IFACE_INET=enp2s0

# Réseau local
IFACE_LAN=enp3s0
IFACE_LAN_IP=192.168.2.0/24

# Relais des paquets (yes/no)
MASQ=yes

# Tout accepter
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

# Remettre les compteurs à zéro
$IPT -t filter -Z
$IPT -t nat -Z
$IPT -t mangle -Z

# Supprimer toutes les règles actives et les chaînes personnalisées
$IPT -t filter -F
$IPT -t filter -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

# Désactiver le relais des paquets
$SYS -q -w net.ipv4.ip_forward=0

# Politique par défaut
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

# Faire confiance à nous-même
$IPT -A INPUT -i lo -j ACCEPT

# Ping
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

# Connexions établies
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# SSH local
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT

# SSH limité en provenance de l'extérieur
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state \
  --state NEW -m recent --set --name SSH
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state \
  --state NEW -m recent --update --seconds 60 --hitcount 2 \
  --rttl --name SSH -j DROP
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -j ACCEPT

# DNS
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 53 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 53 -j ACCEPT

# DHCP
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 67:68 -j ACCEPT

# Activer le relais des paquets
if [ $MASQ = 'yes' ]; then
  $IPT -t nat -A POSTROUTING -o $IFACE_INET -s $IFACE_LAN_IP \
    -j MASQUERADE
  $SYS -q -w net.ipv4.ip_forward=1
fi

# Enregistrer les connexions refusées
$IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++"
$IPT -A INPUT -j REJECT

# Enregistrer la configuration
$SERVICE iptables save
--8<----------------------------------------------------

As you can see, the script is also supposed to handle IP packet 
forwarding (masquerading).

Once I run firewall-lan.sh manually, everything works as expected.

When I restart the server, Iptables rules are still the same. The only 
thing that's not activated is IP forwarding. So as far as I can tell, 
iptables rules are stored, but packet forwarding returns to its pristine 
state (not activated).

What would be an orthodox way of handling this? Put 
"net.ipv4.ip_forward=1" in /etc/sysctl.conf? Something else?

Cheers,

Niki

-- 
Microlinux - Solutions informatiques 100% Linux et logiciels libres
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32