Setting up linux firewall

[sacham50]

Here's a a map of the layout of my current internal network:

I am trying to insert a linux centos7 machine to act as firewall for my internal network using iptables
one NIC going to the router, modem, internet and another going to the internal network.
when i enable things, all the wired devices can ping all other internal wired devices, but i cannot reach out to the internet.
I assume the problem lies within my iptables rules setup (yes i'm using iptables instead of firewalld as i'm slowly learning it in college atm)
I had flushed all the rules to check if that was the problem, adding just a few rules to allow internal to external traffic and still could not reach beyond the firewall from the internal network.
Any help, suggestions, guidance would be greatly appreciated.

I also want to set up the router as AP point for the wireless devices giving them internet access ONLY.

 

[The Paladin]

the linux firewall box, can it see the internet ? can it see the router ? can it see the cable modem?

 

[sacham50]

Sorry, i should have stated that.

Yes, the firewall sees everything externally, and can ping the devices.

The problem seems to lie somewhere in the forwarding from the internal NIC to the external NIC
Although that is just a guess on my part.

 

[The Paladin]

so if the systems behind the firewall cannot see the router, where and or what provided them with a valid IP adresss?

 

[sacham50]

everything behind the firewall is using static ip addresses w/ a common subnet mask

 

[The Paladin]

so they are not actually addressing the gateway for their IP. got it. does the router see the internal networked PCs on its network ? (look in advances attached devices) ?

 

[sacham50]

no.. the firewall works too well, on both sides.. nothing can communicate or see past it

 

[skillsboy.storage]

Try this.

IP Forwarding, Linux acting as a router.

First up, enable IP forwarding in the kernel because Linux cannot function as a router without it. Add the following line to /etc/sysctl.conf:
...
net.ipv4.ip_forward = 1
...

NAT rule, to let all traffic out (replace with your interfaces , eth1 - inside int / eth2 - outside int):

# firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth1 -j MASQUERADE 

# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth2 -o eth1 -j ACCEPT 

# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT

 

[sacham50]

i do have "net.ipv4.ip_forward = 1" in my bash script that inserts the rules at bootup.
Altho i am using iptables, not firewalld

 

[skillsboy.storage]

This may help.
https://www.howtoforge.com/nat_iptables

Just go to Step #8.

--------------------------------------------------------------------------

Or try this:

To set a linux machine as a router you need the following
1- Enable forwarding on the box with
echo 1 > /proc/sys/net/ipv4/ip_forward
Assuming your public interface is eth1 and local interface is eth0
2- Set natting the natting rule with:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
3- Accept traffic from eth0:
iptables -A INPUT -i eth0 -j ACCEPT
4- Allow established connections from the public interface.
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
5- Allow outgoing connections:
iptables -A OUTPUT -j ACCEPT