CentOS 7 as NAT Gateway for Private Network

The scenario is a small private network connected via a switch and using 192.168.0.* addresses. One of the machines (let’s call it RTR001) on the network has two network interface cards. One with an address on the 192.168.0.* network and another providing wider network (& internet) access on a 123.111.123.* network. This machine (RTR001) will take traffic from the private network 192.168.0.* and route it out via its other interface to the internet etc.

So the router machine (RTR001) has the following interfaces and IP addresses:

  • eth0
  • eth1

Configure the kernel to forward IP packets:

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

To avoid rebooting implement the same change dynamically:

sysctl -w net.ipv4.ip_forward=1

On CentOS 7, after configuring both network interfaces, we need to use firewalld:

firewall-cmd --zone=external --add-interface=eth0 --permanent
firewall-cmd --zone=internal --add-interface=eth1 --permanent

After making changes reload with:

firewall-cmd --complete-reload

Check the settings to ensure your interfaces are listed in the correct zone:

firewall-cmd --list-all-zones

If you have made a mistake you can remove the interface from the zone with:

firewall-cmd --zone=internal --remove-interface=eth0

Configure masquerading on the externally facing device (eth0):

firewall-cmd --zone=external --add-masquerade --permanent

Now the NAT rule (see comments – this may not be required):

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s

I was running DNS, DHCP, pxe and several other services from my RTR001 machine to service the internal computers so I opened those ports with:

firewall-cmd --permanent --zone=internal --add-service=dhcp
firewall-cmd --permanent --zone=internal --add-service=tftp
firewall-cmd --permanent --zone=internal --add-service=dns
firewall-cmd --permanent --zone=internal --add-service=http
firewall-cmd --permanent --zone=internal --add-service=nfs
firewall-cmd --permanent --zone=internal --add-service=ssh

Reload the firewall rules and test pings from the internal machines:

firewall-cmd --complete-reload
firewall-cmd --list-all-zones


6 Responses to “CentOS 7 as NAT Gateway for Private Network”

  1. a123qwertz567

    Thank you for your manual. Worked fine for me until a reboot. After I rebooted the machine all network devices are assigned to the default zone. It doesnt matter if I configure it with the command line or with the firewalld-GUI.

    May you have any idea what I could do?

    • a123qwertz567

      I fixed this by adding


      to the file /etc/sysconfig/network-scripts/ifcfg-eno1

  2. Jamie Fargen

    In RHEL7.3, the commands firewall-cmd –zone=external –add-interface=eth0 –permanent seem to append the zone to the network config file /etc/sysconfig/network-scripts/ifcfg-xyz automatically now.

  3. Michael

    You don’t need to reboot if you changed /etc/sysctl.conf, just execute the following command to reload it;
    sysctl -p

  4. Germano Massullo

    ‎erig‎ from Freenode #firewalld told me that line
    firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s
    is not necessary. I made a test and he is right


Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>