NAT with iptables

Centos 7.2 configuration

So the idea is to configure iptables in a NAT mode (also called Masquerading) in order to let internal cluster compute nodes to have access to outside (let’s say Internet or any external Networks).

By default, iptables is not installed in Centos 7.2 version. Please do not get confused with following service which is usually installed by default:

[root@hadoop-master ~]# yum list installed | grep -i iptables
iptables.x86_64                        1.4.21-16.el7

What we need beside that is iptables-services which have to be installed. We can easly install that by following command:

[root@hadoop-master ~]# yum install iptables-services

And we are ready to go by starting the service.

[root@hadoop-master ~]# systemctl start iptables.service

and if we want to configure it in a way that come up in boot time simply we can enable it by following command:

[root@hadoop-master ~]# systemctl enable iptables.service

We can check if it has enabled by default during the boot time by following command:

[root@hadoop-master ~]# systemctl list-unit-files | grep -i iptables
iptables.service                           enabled

Explanation:  chkconfig (–list) only shows SysV services (usually residing in a directory such as /etc/init.d) and does not show Systemd Services which is a native based service in Centos 7 series.

 

Simply copy paste following configuration file into  /etc/sysconfig/iptables (maybe backup the default one) and modify it based on your NICs name.

[root@hadoop-master ~]# cat /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o enp5s0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i enp5s0 -j ACCEPT
-A INPUT -i enp6s0 -j ACCEPT
-A INPUT -i enp6s0:0 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i enp5s0 -j ACCEPT
-A FORWARD -i enp6s0 -j ACCEPT
-A FORWARD -i enp6s0:0 -j ACCEPT
-A FORWARD -o enp5s0 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT

 

What you only need to change is network adapter names. Here in our case:

enp5s0 : It has a external IP address, therefore is connected to external network.

enp6s0:  It has a internal IP address, therefore is connected to internal network and is feeding our Internal compute nodes.

enp6s0:0:  It is also connected to internal network and is a alias which is connected to IPMI network. If you do not have IPMI network, just ignore it.

 

At the end, we need to reload the iptables service.

[root@hadoop-master ~]# systemctl restart iptables.service

 

That’s all.

 

 

 

 

 

 

 

%d bloggers like this: