want to Make software router having two nic cards using centos 6.4
I'm new on CentOS. I have a CentOS 6.4 system having 2 NIC cards. I want to setup a gateway so I can get internet from public ip over 1st nic card (eth1) and forward the network over 2nd nic card (eth2) so it can be accessible to my local network. I made a DNS server in same system. my gateway system is able to ping to both DNS and google but my client systems are not.
I tried to set the iptables rules it works ping to local gateway but unable to ping to public DNS and www.google.com from client system..when I ping to google.com said that host is unreachable.
How can I implement this, please help me?
- public ip is(eth1) : x.x.x.x
- my local network is (eth2) : 192.168.x.x
I used this for setting up iptables:
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface eth2 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
Routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
local ip 0.0.0.0 255.255.255.0 U 0 0 0 eth2
public ip 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 my local gateway 0.0.0.0 UG 0 0 0 eth2
Iptables:
Chain PREROUTING (policy ACCEPT 9761 packets, 1239K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 14666 packets, 1001K bytes)
pkts bytes target prot opt in out source destination
345 41722 MASQUERADE all -- * Auto_eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 15011 packets, 1043K bytes)
pkts bytes target prot opt in out source destination
Please tell me what are changes I have to do in configuration.
Solution 1:
ip route del default
ip route add default via INTERNETGATEWAY dev eth2
There is something screwy with your route. the centos 'NAT' box needs to sit on two nets:
192.168.5.x/24 (Private eth2)
192.168.6.x/24 (Public eth1) -- hypothetically
your route should be something like:
ip route add route 192.168.5.0/24 dev eth2
ip route add route 192.168.6.0/24 dev eth1
ip route add default via 192.168.6.1 dev eth1
Right now you are routing internet bound traffic out of your private facing NIC...
Solution 2:
Don't reinvent the wheel. Ditch trying to roll it by hand and use an appliance product such as pfSense that handles this very well.
Yes, it is possible, but if you're not familiar with how this all works it's not worth your time to try to build it by hand.