MASQUERADE

-----

How to configure iptables MASQUERADE rule for set of secondary IP address

WAN = eth0 with public IP 202.22.22.1 -eth0

LAN = eth1 with private IP 192.168.1.1 -eth1

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

iptables --append FORWARD --in-interface eth1 -j ACCEPT

**CentOS/RHEL 6

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

**service iptables restartCentOS/RHEL 7

firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s 192.168.1.0/24

systemctl restart firewalld

echo 1 > /proc/sys/net/ipv4/ip_forward

# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

sysctl -p

service iptables restart

------------------------X-----------------------------------

############### LAN to WAN Masquerading and Forwarding ################

iptables –table nat –append POSTROUTING –out-interface ppp0 -j MASQUERADE

iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

iptables –append FORWARD –in-interface eth1 -j ACCEPT

############## Block SSH & DNS Requests from WAN Eth0 ##################

# iptables ! -s 192.168.1.1/24 -A INPUT -i ppp0 -p tcp –dport 22 -j DROP

iptables ! -s 192.168.1.1/24 -A INPUT -i ppp0 -p tcp –dport 53 -j DROP

############## Enable SSH externally on ppp0 ##################

iptables -A INPUT -i ppp0 -p tcp –dport 2200 -j ACCEPT

############### Port redirections ################

# RDP to windows-server

iptables -A PREROUTING -t nat -i ppp0 -p tcp –dport 3390 -j DNAT –to 192.168.1.100:3389

iptables -A FORWARD -p tcp -d 192.168.1.100 –dport 3390 -j ACCEPT

############### Confirm IP forward is enabled ################

echo 1 > /proc/sys/net/ipv4/ip_forward # Enables packet forwarding by kernel

------------------------X --------------------------

eth0 1.1.1.1 # 1st IP address eth0:0 1.1.1.2 # 2nd IP address eth0:1 1.1.1.3 # 3rd IP address eth1 2.2.2.2 # LAN segment

- I added MASQUERADE rule to allow Internet access from my LAN as below:

Raw

iptables -t nat -A POSTROUTING -s 2.2.2.2 -o eth0 -j MASQUERADE

- Now outgoing connections from my LAN to WAN will be masquerading with 1.1.1.1 public IP. How can I change masquerading ip "1.1.1.1" for any other as e.g 1.1.1.2 or 1.1.1.3 ?

------

CentOS Linux add a default gateway

In this example, route all traffic via 192.168.1.254 gateway connected via eth0 network interface. The following command will set a default gateway for both internal and external network (if any):

# route add default gw 192.168.1.254 eth0

# ip route add 192.168.1.0/24 dev eth0

How do I make routing changes persistent across CentOS Linux server reboots?

To set default gateway edit /etc/sysconfig/network as follows:

# cat /etc/sysconfig/network

Sample configuration file:

NETWORKING=yes ## server name ## HOSTNAME=server1.cyberciti.biz ## Default route ## GATEWAY=192.168.1.254NETWORKING_IPV6=yesIPV6_AUTOCONF=no

Save and close the file. Restart the networking service on CentOS Linux, type:

# service network restart

# ip route list

To verify new settings ping to the default gateway and external network:

# ping 192.168.1.254

# ping www.cyberciti.biz

# host google.com

CentOS Linux static routing config for eth1 interface

The following is a sample route-eth1 file. The default gateway set to 192.168.2.254, interface eth1. The static route is 10.10.29.65 for 10.0.0.0/8 network:

# cat /etc/sysconfig/network-scripts/route-eth1

Sample configurations:

default 192.168.2.254 dev eth1 10.0.0.0/8 via 10.10.29.65 dev eth1

---