RHEL as a router

Latest response

Good Evening,
I am trying to configure RHEL 8 as a router. I have one interface facing the Internet with static IP address assigned (eth_ext) and one inteface (also static IP) facing LAN (eth_int). I set net.ipv4.ip_forward = 1 and made the following:

firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth_ext -j MASQUERADE
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth_int -o eth_ext -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth_ext -o eth_int -m state --state RELATED,ESTABLISHED -j ACCEPT

I still can't access the internet from the second machine (that has only one nic connected to the same lan)

Responses

Hi Tomasz,

We need more information.

a) Can the RHEL 8 server itself reach internet directly, and which protocols are allowed?

b) What protocol does the second machine uses to reach the internet?

c) What do firewall logs show about the connections from the second machine?

Regards,

Dusan Baljevic (amateur radio VK2COT)

a) Yes, RHEL can access the internet directly. I cleared the firewall rules, leaving only redirecting b) I tried sending ICMP Echo packets and they can reach the Internet (pinging sites like Google works), but DNS reply do not c) Tcpdump says that communication is working, but strangely DNS is not returing as it is seemed to be blocked (even though I can't see any rule blocking those in iptables)

Hi Tomasz,

Has not firewall-cmd created a REJECT all rule on top of all other rules about forwarding? The default setting seems to do so.

Regards,

Jan Gerrit Kootstra

I will have to take a look.

Other hint taking some time to apply:

Find out how libvirt creates the firewall rules for a masqueraded network and mimic it.

Part 1:

  • make a backup of the RHEL router
  • cleanup all firewall rules
  • install libvirt-daemon
  • install virt-manager
  • create a virtual network with Masquerading and check/write down the firewall changes made by libvirt.

Part two:

  • restore the RHEL backup
  • setup the firewall rules for your setup based on the way libvirt did it for a virtual network, replacing the "virtual bridge virbr#" NIC by your internal NIC.

# denotes a number.

Regards,

Jan Gerrit Kootstra

Hi Tomasz,

Jan gave you good pointers.

So, we now know that your RHEL 8 server acts as a router. It is just that something is blocking some type of traffic (like DNS).

Also, let's analyse your statement:

b) I tried sending ICMP Echo packets and they can reach the Internet (pinging sites like Google works), but DNS reply do not 
c) Tcpdump says that communication is working, but strangely DNS is not returing as it is seemed to be blocked (even though I can't see any rule blocking those in iptables)

Which DNS the second server uses? Can you provide:

  1. Contents of /etc/resolv.conf and /etc/nsswitch.conf.

  2. Results of dig tests via TCP and UDP connections to DNS servers.

  3. Results of these tests on RHEL 8 router:

resolvectl status resolvectl statistics

  1. Operating system on the second server. It if its also RHEL 8, then provide results like in step 3. above...

Regards,

Dusan Baljevic (amateur radio VK2COT)

I am using Fedora live as a client to test the network, before installing, since I would like to make it work first.

  1. Contents of /etc/resolv.conf and /etc/nsswitch.conf.

server: /etc/resolv.conf

Generated by NetworkManager

nameserver 8.8.8.8 nameserver 8.8.4.4

/etc/nsswitch.conf server: passwd: sss files systemd shadow: files sss group: sss files systemd hosts: files dns myhostname bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: sss publickey: files automount: files sss aliases: files

client: /etc/resolv.conf 192.168.5.1 (ip address of the server)

/etc/nsswitch.conf shadow: files sss hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files publickey: files aliases: files

  1. Results of dig tests via TCP and UDP connections to DNS servers.

server: dig +tcp - works dig - also works

client: dig +tcp - connection refused dig - connection timeout, no servers could be reached

  1. Results of these tests on RHEL 8 router:

resolvectl Failed to get global data: Unit dbus-org.freedesktop.resolve1.service not found

Hi Tomasz,

Based on your latest updates, we can conclude the following:

a) RHEL 8 router uses Google public DNS servers (8.8.8.8 and 8.8.4.4).

b) The second server uses RHEL 8 as its DNS server (IP address 192.168.5.1).

To successfully use it, it means RHEL 8 server MUST run some kind of DNS service itself. Options are BIND (named).

It looks to me that your RHEL 8 router is not configured as DNS server.

If RHEL 8 router is not designed to be authoritative DNS server for any domain name, then simply set it up as caching DNS server only, or as an alternative, simply allow second server to use Google DNS servers directly.

Regards,

Dusan Baljevic (amateur radio VK2COT)

firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o eth_ext -j MASQUERADE
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth_int -o eth_ext -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth_ext -o eth_int -m state --state RELATED,ESTABLISHED -j ACCEPT
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-masquerade
firewall-cmd --reload

Need to open every port you will be using through router, because it is not only router but also firewall :-)

Welcome Raisal Kudilingal Hamza

It helps to put three tilde characters above and below the code text

~~~

code

~~~

Then it appears such as:

[root@yoursystem] # firewall-cmd --permanent --direct  
<entire command not put here>

Kind Regards,
RJ

Thanks for the info, Done.

Cool, and thanks