Firewalld : IP Masquerade2016/04/10 |
It is how to configure IP Masquerading with Firewalld. This examples are based on the environment below.
---------+--------- Gateway|192.168.0.1 | External | eth1|192.168.0.30 +--------+---------+ | | | dlp.srv.world | | | +--------+---------+ eth0|10.0.0.30 Internal | |
[1] | Change zones for interfaces. |
# show current setting [root@dlp ~]# firewall-cmd --get-active-zone public interfaces: eth0 eth1 # change zone [root@dlp ~]# nmcli c mod eth0 connection.zone internal [root@dlp ~]# nmcli c mod eth1 connection.zone external
firewall-cmd --get-active-zone internal interfaces: eth0 external interfaces: eth1 |
[2] | Set IP Masquerading on External zone. |
# set IP Masquerading [root@dlp ~]# firewall-cmd --zone=external --add-masquerade --permanent success [root@dlp ~]# firewall-cmd --reload success # show setting [root@dlp ~]# firewall-cmd --zone=external --query-masquerade yes # ip_forward is enabled automatically if masquerading is enabled. [root@dlp ~]# cat /proc/sys/net/ipv4/ip_forward 1 |
[3] | For example, Configure that incoming packets come to 22 port of External zone are forwarded to local 1234 port. (if set permanently, add "--permanent" option) |
[root@dlp ~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=1234 success [root@dlp ~]# firewall-cmd --list-all --zone=external external (active) interfaces: eth1 sources: services: ssh ports: masquerade: yes forward-ports: port=22:proto=tcp:toport=1234:toaddr= icmp-blocks: rich rules: |
[4] | For example, Configure that incoming packets come to 22 port of External zone are forwarded to another Host(192.168.0.31) of 22 port. |
[root@dlp ~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=192.168.0.31 success [root@dlp ~]# firewall-cmd --list-all --zone=external external (active) interfaces: eth1 sources: services: ssh ports: masquerade: yes forward-ports: port=22:proto=tcp:toport=22:toaddr=10.0.0.31 icmp-blocks: rich rules: |
[5] | For example, Configure that outgoing packets through the Server from Internal network(10.0.0.0/24) are allowed and forwarded to External side. |
# set masquerading to internal zone [root@dlp ~]# firewall-cmd --zone=internal --add-masquerade --permanent success [root@dlp ~]# firewall-cmd --reload success firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth1 -j MASQUERADE [root@dlp ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -j ACCEPT [root@dlp ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT |
Sponsored Link |