This post outlines how to build a simple router using firewalld and dnsmasq on CentOS 7. The problem this router solves for us at SuniTAFE is that it isolates virtual student networks on VMWare ESX hosts from the main college network, while still allowing access to the college network for DNS forwarding and internet purposes.
First up, install a “Minimal” version of CentOS 7 and then update the system software:
# yum update
The dnsmasq service (provides DHCP and DNS services to internal network) should already be installed, but ntpd (provides time service) will need installing:
# yum install ntp
Also install Open VM Tools if the router is on VMWare:
# yum install open-vm-tools
First up, enable IP forwarding in the kernel because Linux cannot function as a router without it. Add the following line to /etc/sysctl.conf:
net.ipv4.ip_forward = 1
This is a permanent change that will stick after each reboot. To force sysctl to reread its config file after editing it, run:
# sysctl -p
The gateway/router has two virtual NICs, one in the students’ virtual network (the internal network) and one in the college network (the external network).
First, we need to permanently assign each NIC to its own firewall zone. Firewalld has several zones already pre-defined, which can be listed using the following command:
# firewall-cmd --get-zones block dmz drop external home internal public trusted work
The pre-defined default zone is the public zone:
# firewall-cmd --get-default-zone public
The simplest approach is to use the default public zone for the external network, and to assign the internal network to the pre-defined internal zone.
By default, firewalld automatically assigns all interfaces to the default zone:
firewall-cmd --list-all public (default, active) interfaces: eth1 eth2 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Here, firewalld knows about two interfaces, eth1 and eth2, and both are assigned to the public zone. We want to keep eth1 in the public zone and assign eth2 to the internal zone.
Initially, we tried using some firewall-cmd options for adding interfaces to zones (and removing them) as follows:
firewall-cmd --permanent --zone=public --remove-interface=eth2 firewall-cmd --permanent --zone=internal --add-interface=eth2
The problem with this approach is that every time firewalld or the server is restarted, all interfaces are reassigned back to the public zone despite the use of the –permanent option in the above commands.
It turns out that the only way to permanently assign an interface to a zone is to edit the interface’s configuration file (/etc/sysconfig/network-scripts/ifcfg-eth2 in this case) and add a ZONE option as follows:
If this option is missing or empty, the default firewalld zone will always be reassigned to the interface when it is restarted.
Before moving on, we should mention that if the router needs to serve multiple internal networks it is easy enough to define new custom zones if necessary:
firewall-cmd --permanent --new-zone=student1 firewall-cmd --reload
Note that only one new zone can be added at a time, and that the –permanent option must be used. Zones can also be removed if necessary:
firewall-cmd --permanent --delete-zone=student1
The following rules allow machines on the isolated internal network (on eth2) to send NATed packets to the college network (on eth1), and also allow responses back. Machines on the college network cannot initiate communications with student machines on the internal network:
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth1 -j MASQUERADE firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth2 -o eth1 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
Pretty simple really. Note that as-is, this router forwards all traffic regardless of service, port or protocol but does not allow connections to the router itself apart from those pre-defined for the public interface (dhcpv6-client and ssh).
Currently configured –direct rules can be inspected as follows:
# firewall-cmd --permanent --direct --get-all-rules
Although we haven’t configured dnsmasq and ntpd yet, we may as well put the firewall rules they require in place now. As a DHCP, DNS and NTP server for the internal network, the router requires ports 53, 67 and 123 to be opened on the internal zone. Note that these are all UDP ports:
# firewall-cmd --permanent --zone=internal --add-port=53/udp # firewall-cmd --permanent --zone=internal --add-port=67/udp # firewall-cmd --permanent --zone=internal --add-port=123/udp # firewall-cmd --reload
While we’re at it we may as well remove the unnecessary dhcpv6-client service from the public zone:
# firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client # firewall-cmd --reload
DHCP and DNS configuration is very easy. The dnsmasq configuration file is located in /etc/dnsmasq.conf. By default, all entries in that file are commented out and use sensible defaults. Simply add the following directives to that file to define DHCP and DNS servers listening on 192.168.0.1 on eth2. This file also defines a DHCP range (192.168.0.50 to 192.168.0.250) with 12 hour leases, and points DNS, Gateway and NTP server options to the router itself:
interface=eth2 listen-address=192.168.0.1 domain=yourdomain.net dhcp-range=192.168.0.50,192.168.0.250,12h dhcp-option=option:dns-server,192.168.0.1 dhcp-option=option:router,192.168.0.1 dhcp-option=option:ntp-server,192.168.0.1
Dnsmasq functions as a forwarding DNS server. Valid forwarding servers need to be defined in ifcfg-* interface files and /etc/resolv.conf. Dnsmasq will also read any entries in /etc/hosts/.
Basic NTP functionality is even easier to configure. Uncomment and modify this line in /etc/ntp.conf, using an appropriate network definition for your case:
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
Enable and start the dnsmasq and ntpd services:
# systemctl enable dnsmasq # systenctl start dnsmasq # systemctl enable ntpd # systenctl start ntpd
NTP functionality can be verified as follows:
# ntpq -p
All currently listening services can be verified as follows:
# ss -tulpn