Firewalld : IP Masquerade

Firewalld : IP Masquerade 2019/09/27

This is configration example of IP Masquerading with Firewalld. This exmaple is based on the environment like follows. -------------+------------- Gateway|192.168.0.1 | External | ens8|192.168.0.30 +------------+------------+ | | | dlp.srv.world | | | +------------+------------+ ens2|10.0.0.30 Internal | |

[1]	Change zones for interfaces.

# show current setting [root@dlp ~]#  firewall-cmd --get-active-zone public interfaces: ens2 ens8 # change zone [root@dlp ~]#  nmcli connection modify ens2 connection.zone internal [root@dlp ~]#  nmcli connection modify ens8 connection.zone external [root@dlp ~]#  firewall-cmd --get-active-zone external interfaces: ens8 internal interfaces: ens2

[2]	Set IP Masquerading on External zone.

# set IP Masquerading [root@dlp ~]#  firewall-cmd --zone=external --add-masquerade --permanent success [root@dlp ~]#  firewall-cmd --reload success # show setting [root@dlp ~]#  firewall-cmd --zone=external --query-masquerade yes # [ip_forward] is enabled automatically if masquerading is enabled [root@dlp ~]#  cat /proc/sys/net/ipv4/ip_forward 1

[3]	For example, Configure that incoming packets come to 22 port of External zone are forwarded to local 1234 port. (if set permanently, add [--permanent] option)

[root@dlp ~]#  firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=1234 success [root@dlp ~]#  firewall-cmd --list-all --zone=external external (active) target: default icmp-block-inversion: no interfaces: ens8 sources: services: ssh ports: protocols: masquerade: yes forward-ports: port=22:proto=tcp:toport=1234:toaddr= source-ports: icmp-blocks: rich rules:

[4]	For example, Configure that incoming packets come to 22 port of External zone are forwarded to another Host [192.168.0.31] of 22 port.-

[root@dlp ~]#  firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=192.168.0.31 success [root@dlp ~]#  firewall-cmd --list-all --zone=external external (active) target: default icmp-block-inversion: no interfaces: ens8 sources: services: ssh ports: protocols: masquerade: yes forward-ports: port=22:proto=tcp:toport=22:toaddr=192.168.0.31 source-ports: icmp-blocks: rich rules:

[5]	For exmaple, Configure that outgoing packets through the Server from Internal network [10.0.0.0/24] are allowed and forwarded to External side.

# set masquerading to internal zone [root@dlp ~]#  firewall-cmd --zone=internal --add-masquerade --permanent success [root@dlp ~]#  firewall-cmd --reload success [root@dlp ~]#  firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o ens8 -j MASQUERADE [root@dlp ~]#  firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens2 -o ens8 -j ACCEPT [root@dlp ~]#  firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens8 -o ens2 -m state --state RELATED,ESTABLISHED -j ACCEPT