Topology

Router Basic Settings 

開兩張網卡 

一張對外(enp0s3)
一張對內(enp0s8)

安裝net-tools

dnf install net-tools

看網卡資訊

ifconfig

因為enp0s3是NAT模式 IP固定是預設的10.0.2.15

設定內部網卡 

我的對內網卡是enp0s8

vim /etc/sysconfig/network-scripts/ifcfg-enp0s8

DEVICE=enp0s8
ONBOOT=yes
IPADDR=10.113.25.254
NETMASK=255.255.255.0

重新啟動網卡

ifdown enp0s8

ifup enp0s8

Wireguard 

Install Wireguard on CentOS 8 

sudo yum install elrepo-release epel-release
sudo yum install kmod-wireguard wireguard-tools

建立client網卡 wg0

mkdir -v /etc/wireguard
sh -c 'umask 077'; touch /etc/wirehuard/wg0.conf

Client Configurations 

vim /etc/wireguard/wg0.conf

[Interface]
Address=10.113.0.25/32
PrivateKey=[CLIENT PRIVATE KEY]

[Peer]
PublicKey=[SERVER PUBLIC KEY]
AllowedIPs=10.113.0.0/16
Endpoint=[SERVER ENDPOINT]:51820
PersistentKeepalive=25

啟動 

start

wg-quick up wg0

stop

wg-quick down wg0

enable

systemctl enable wg-quick@wg0

DHCP Server 

Installation 

dnf install dhcp-server

Server Configurations 

example dhcpd.conf: /usr/share/doc/dhcp-derver/dhcpd.conf.example

vim /etc/dhcp/dhcpd.conf

option domain-name "0846101.nasa";
option domain-name-servers 8.8.8.8;
authoritative;
default-lease-time 600;
max-lease-time 7200;
host fixed-ip-agent{
        hardware ethernet 08:00:27:ca:aa:fa; //agent的MAC address
        fixed-address 10.113.25.129;
}

subnet 10.113.25.0 netmask 255.255.255.0 {
  range 10.113.25.100 10.113.25.200;
  option routers 10.113.25.254;
}

Start Service 

systemctl start dhcpd
systemctl enable --now dhcpd

Firewall設定

firewall-cmd --zone=public --permanent --add-service=dhcp
firewall-cmd --reload

Routing - NAT & iptables 

如果要設定NAT就要一起設定防火牆
在CentOS 8中 我使用iptables

Install iptables 

dnf install iptables-services iptables-utils -y

若要啟動iptables 要先把預設的firewalld關閉 避免衝突

systemctl stop firewalld

systemctl disable firewalld

Enable iptables

systemctl enable iptables
systemctl start iptables

NAT Configuration in iptables 

設定router forwarding功能

先看一下有沒有NAT設定

iptables -t nat -nvL

不會看到任何東西 因為我們還沒設定

設定對外網卡是enp0s3

iptables -t nat -A POSTROUTING -o enp0s3 -j MASQERADE

再執行一次

iptables -t nat -nvL

會看到

儲存設定

iptables-save

切換成root

iptables-save > /etc/sysconfig/iptables

編輯iptables

vim /etc/sysconfig/iptables

*filter

-A FORWARD -i enp0s3 -o enp0s8 -j ACCEPT
-A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Restart iptables

systemctl restart iptables

ls /etc/sysctl.d

vim /etc/sysctl.d/99.sysctl.d

net.ipv4.ip_forward = 1

sysctl -p

Firewall 

• By default, all connections from outside (include Intranet) to your subnet should be rejected.

• By default, all services only trust the connections from your subnet (For example, you cannot SSH to “Router” from your test IP (10.113.254.ID) directly. Therefore, you may need to create a VM to help you “jump” into your subnet.)

• SSH connections from anywhere to “Agent” are allowed.

• ICMP connections from anywhere to anywhere are allowed.

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [650:94130]

-P INPUT DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p all -s 192.168.56.1 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -d 10.113.25.129 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 10.113.25.0/24 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-P FORWARD DROP
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -d 10.113.25.129 -p tcp --dport 22 -j ACCEPT
-A FORWARD -s 10.113.25.0/24 -j ACCEPT
-A FORWARD -i enp0s3 -o enp0s8 -j ACCEPT
-A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Restart iptables

systemctl restart iptables

run this to check

iptables -t filter --list