How To: CentOS 7 Router


I have had to create a few CentOS 7 minimal router systems over the past few weeks for my research environments and decided to document the process. CentOS 7 makes use of systemd and firewalld which is a change from previous versions which were openrc and iptables based. The process of creating a minimal router system is fairly straight forward and can be completed in a very short amount of time after the initial installation with minimal dependencies.

In order to create a router the system will need multiple network interface cards assigned to it. In this article we will focus on a system with two network interfaces. Once will be considered the public interface and the other will be the private interface. Network Address Translation (NAT) will be used in order to pass traffic from the public interface through the router to the systems located on the private LAN.

First install CentOS 7 to the system from the minimal installation media. You can set the hostname and address information during installation or wait until after and edit the configuration files manually. Once the installation is complete perform the following actions:

Change the hostname:

vi /etc/hostname

Change the IP address of the first network interface:
(Note: your network interface may be named something different than eth0)

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Add the following information to the file:


Change the IP address of the second network interface:

vi /etc/sysconfig/network-scripts/ifcfg-eth1

Add the following information to the file:


Run the following command to restart the networking service:

systemctl restart network

Now the firewall service has to be configured to support NAT:

First create the following file to allow IP forwarding:

vi /etc/sysctl.d/ip_forward.conf

In the file add the following line:


Then run the following command to activate IP forwarding:

sysctl -p /etc/sysctl.d/ip_forward.conf

Now we need to create a firewall rule to allow IP masquerading between the public and private interfaces:

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth0 -j MASQUERADE -s <PRIVATE_NETID>/<NETMASK_CIDR_PREFIX>

Now assign eth0 to the external firewall zone:

firewall-cmd --change-interface=eth0 --zone=external --permanent

Set the default zone to the internal zone:

firewall-cmd --set-default-zone=internal

Reload the firewall service:

firewall-cmd --complete-reload

Now restart the networking and firewall services:

systemctl restart network && systemctl restart firewalld

Verify that the firewall settings persisted through the reload:

firewall-cmd --list-all 
firewall-cmd --list-all --zone=external

That’s it! Now test to see if it works by connecting a system to the private side of the router. Then assign it an IP address and subnet mask on the private LAN, and set the default gateway to the private interface on the router. DNS should be set to the same DNS server that the router is using unless you are running a private DNS server on your LAN.

2 Responses to “How To: CentOS 7 Router”

  1. Dan

    Quick and dirty. I like it. I think it’ll be interesting to try it out with a wireless interface as well and see if it goes so smoothly.

  2. Ronny

    A wireless interface is just another network interface on the system. I don’t see why it wouldn’t work, basically you would be creating a wireless router. Wired WAN interface and wireless LAN interface.