DESCRIPTION :

 

This one  is going to be a simple routed network , with four routers ,

routing is done statically . The routers should be connected according

to the following diagram :

 

STEP 1 - Download ISO , configure host names IP addresses

 

Download CentOS 6.5 iso from CentOS website (x86 or x64) : CentOS 6.5 ISO .

Install base system, partitioning and raid configuration is up to the user.

The hostname and ip addresses for the four routers are as follows :

 

ROUTER1

hostname : router01.home.lan

eth0: 192.168.40.200   (uplink)

eth1: 192.168.210.250

 

ROUTER2

hostname : router02.home.lan

eth0: 192.168.210.249

eth1: 192.168.200.250

eth2: 192.168.201.250

 

ROUTER3

hostname : router03.home.lan

eth0: 192.168.210.248

eth1: 192.168.202.250

 

ROUTER4

hostname : router04.home.lan

eth0: 192.168.202.249

eth1: 192.168.204.250

 

As you  can see the network 192.168.210.0/24 is used to interconnect

our routers , it's our backbone , one of our routers, namely ROUTER4

is behind ROUTER3.

 

STEP 2 - Disable IPtables,SELinux and do a system upgrade

 

On all four routers we run the following commands :

chkconfig iptables off

chkconfig ip6tables off

vi /etc/selinux/config

 

Look for SELINUX= line and change it to SELINUX=disabled. Then reboot the system.

reboot

 

Once it's done we run system upgrade

yum upgrade

 

STEP 3 - Configure static routing

 

ROUTER01

 

We add to /etc/rc.d/rc.local file the following lines :

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway ( 192.168.40.1 is ip address of Cable modem )

route add default gw 192.168.40.1

# subnet 192.168.200.0

route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.210.249

# subnet 192.168.201.0

route add -net 192.168.201.0 netmask 255.255.255.0 gw 192.168.210.249

# subnet 192.168.202.0

route add -net 192.168.202.0 netmask 255.255.255.0 gw 192.168.210.248

# subnet 192.168.204.0

route add -net 192.168.204.0 netmask 255.255.255.0 gw 192.168.210.248

# run nat script

/home/iptables-secure

 

Now we create /home/iptables-secure

vi /home/iptables-secure

 

And add the following content :

 

#!/bin/bash

 

IFCONFIG=/sbin/ifconfig

AWK=/bin/awk

 

EXTIF="eth0"

INTIF="eth1"

echo " External Interface:  $EXTIF"

echo " Internal Interface:  $INTIF"

echo " --- "

 

EXTIP="`$IFCONFIG $EXTIF | $AWK \

 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

echo " External IP: $EXTIP"

echo " --- "

 

iptables -t nat -A POSTROUTING -s 192.168.210.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.200.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.201.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.202.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

iptables -t nat -A POSTROUTING -s 192.168.204.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP

 

NOTE : POSTROUTING lines are single lines!!!

With this we configured our main router to do NAT for the following subnets :

192.168.210.0 , 192.168.200.0 , 192.168.201.0, 192.168.202.0, 192.168.204.0 .

This sample firewall script should be hardened to be used as a real firewall,

but for our routing example it's enough.

 

ROUTER2

 

We add to /etc/rc.d/rc.local file the following lines :

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway

route add default gw 192.168.210.250

# subnet 192.168.202.0

route add -net 192.168.202.0 netmask 255.255.255.0 gw 192.168.210.248

# subnet 192.168.204.0

route add -net 192.168.204.0 netmask 255.255.255.0 gw 192.168.210.248

 

ROUTER3

 

We add to /etc/rc.d/rc.local file the following lines :

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway

route add default gw 192.168.210.250

# subnet 192.168.204.0

route add -net 192.168.204.0 netmask 255.255.255.0 gw 192.168.202.249

# subnet 192.168.200.0

route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.210.249

# subnet 192.168.201.0

route add -net 192.168.201.0 netmask 255.255.255.0 gw 192.168.210.249

 

ROUTER 4

 

We add to /etc/rc.d/rc.local file the following lines :

# enable ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# default gateway

route add default gw 192.168.202.250

 

STEP 4 - Testing

 

From every user you should  be  able to ping  every  other  subnet without

getting ICMP redirects , also you should be  able do  traceroute  to every

network without  timeouts.  Congratulations  you've  just  setup a  simple

statically routed network . You can now go on and add more subnets to it ,

you can even add iptables  rules  on the routers to allow or block certain

traffic from to certain subnet/ip addresses.