Wright This Way

Linux NAT Firewall Setup

A NAT Firewall is needed in many situations to allow a private network to communicate with the larger world, the most common example of this would be a home WiFi router that provides a private network space and then links to a WAN connection provided by an ISP.

I was recently setting up such a system at work to allow systems on a private network to be able to communicate with the internet for software updates, etc. There is a lot of info out there to set this up, many older guides focus on iptables rules, but I wanted something that used the newer firewall-cmd software. After some googling and piecing together some things, I came up with the following script.

Linux rp_filter on multihomed system

I was recently working on a Linux system that was providing a NAT service for an environment. Initially, everything seemed to be working fine, but after some additional testing problems were discovered…

What was happening was that network traffic was coming into one interface, but this interface didn’t have a route back to the source system, and so the reply traffic needed to go out the default network interface, as expected. The problem (feature!) though is that newer Linux versions have a feature called Strict Reverse Path Forwarding, which checks to be sure that the interface receiving traffic is able to also able respond to this traffic. For a local subnet, this is usually fine, but for traffic outside of the local subnet, this requires routing, quite possibly by another network interface. And with the Strict Reverse Path Forwarding enabled, if traffic needs to bounce to another interface, then the packet gets dropped. For more info on this, see this link: https://access.redhat.com/solutions/53031