2020年8月4日 星期二

Firewalld : IP Masquerade

Firewalld : IP Masquerade
2019/09/27
 
This is configration example of IP Masquerading with Firewalld.
This exmaple is based on the environment like follows.
-------------+-------------
      Gateway|192.168.0.1
             |
External     |
         ens8|192.168.0.30
+------------+------------+
|                         |
|      dlp.srv.world      |
|                         |
+------------+------------+
         ens2|10.0.0.30
Internal     |
             |
[1]Change zones for interfaces.
# show current setting

[root@dlp ~]# 
firewall-cmd --get-active-zone

public
  interfaces: ens2 ens8

# change zone

[root@dlp ~]# 
nmcli connection modify ens2 connection.zone internal

[root@dlp ~]# 
nmcli connection modify ens8 connection.zone external
[root@dlp ~]# 
firewall-cmd --get-active-zone

external
  interfaces: ens8
internal
  interfaces: ens2
[2]Set IP Masquerading on External zone.
# set IP Masquerading

[root@dlp ~]# 
firewall-cmd --zone=external --add-masquerade --permanent

success
[root@dlp ~]# 
firewall-cmd --reload

success
# show setting

[root@dlp ~]# 
firewall-cmd --zone=external --query-masquerade

yes
# [ip_forward] is enabled automatically if masquerading is enabled

[root@dlp ~]# 
cat /proc/sys/net/ipv4/ip_forward

1
[3]For example, Configure that incoming packets come to 22 port of External zone are forwarded to local 1234 port.
(if set permanently, add [--permanent] option)
[root@dlp ~]# 
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=1234

success
[root@dlp ~]# 
firewall-cmd --list-all --zone=external

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens8
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=1234:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:
[4]For example, Configure that incoming packets come to 22 port of External zone are forwarded to another Host [192.168.0.31] of 22 port.-
[root@dlp ~]# 
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=192.168.0.31

success
[root@dlp ~]# 
firewall-cmd --list-all --zone=external

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens8
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=22:toaddr=192.168.0.31
  source-ports:
  icmp-blocks:
  rich rules:
[5]For exmaple, Configure that outgoing packets through the Server from Internal network [10.0.0.0/24] are allowed and forwarded to External side.
# set masquerading to internal zone

[root@dlp ~]# 
firewall-cmd --zone=internal --add-masquerade --permanent

success
[root@dlp ~]# 
firewall-cmd --reload

success
[root@dlp ~]# 
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens8 -j MASQUERADE

[root@dlp ~]# 
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens2 -o ens8 -j ACCEPT

[root@dlp ~]# 
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens8 -o ens2 -m state --state RELATED,ESTABLISHED -j ACCEPT

沒有留言:

張貼留言