Hello!
I'm looking for solution regarding masquerade under Centos7 used as rich-rule. Server has 2 NICs - one in internal zone and second one in external zone. Masquerade is configured in external zone of course. When I'm using formula:
#firewalld-cmd --zone=external --add-masquerade
I get such response from system:
root@ama zones]# firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: http ssh
ports: 554/tcp 3390/tcp 50050/tcp 7000/tcp 8000/tcp 40389/tcp 6036/tcp 3389/tcp 6037/tcp
protocols:
masquerade: yes
forward-ports: port=8000:proto=tcp:toport=8000:toaddr=192.168.1.220
port=7000:proto=tcp:toport=7000:toaddr=192.168.1.94
.
.
port=6036:proto=tcp:toport=6036:toaddr=192.168.1.122
sourceports:
icmp-blocks:
rich rules:""
In this case everything working properly from hosts in internal zone (function DNS, ping, browser can open www, etc.)
But in theory -> https://www.rootusers.com/how-to-use-fi ... g-and-nat/ the same result can be obtained with rich-rule
First I can using rich-rule to the whole network in internal zone:
# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'
and I get response from system:
[root@ama zones]# firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: http ssh
ports: 554/tcp 3390/tcp 50050/tcp 7000/tcp 8000/tcp 40389/tcp 6036/tcp 3389/tcp 6037/tcp
protocols:
masquerade: no
forward-ports: port=8000:proto=tcp:toport=8000:toaddr=192.168.1.220
port=7000:proto=tcp:toport=7000:toaddr=192.168.1.94
.
.
port=6036:proto=tcp:toport=6036:toaddr=192.168.1.122
sourceports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" masquerade
Unfortunately, such configured masquerade doesn't work. I've tried using wider network size (192.168.0.0/24) or only one host (192.168.1.10/32) with positive system response (firewall-cmd --zone=external --list-all) but masquerade doesn't work . I need firewall configuration for some hosts acting only as squid clients for Internet browsing only and masquerade for host from subnet for example for hosts in range 192.168.1.0/26.
Upper mentioned port forwarding is a part of external zone configuration and working without problem.
Do somebody has idea why rich-rule masquerade doesn't work or have another idea how to solve this issue?
el_jot
Firewalld - masquerade doesn't work as rich rule
Re: Firewalld - masquerade doesn't work as rich rule
Hi!
I'm still searching solution for selective masquerade under firewalld control. So far without result .
I've tried using direct rule too used as:
#firewall-cmd --zone=external --direct --add-rule ipv4 nat POSTROUTING 0 -m iprange --src-range 192.168.1.10-192.168.1.20 -o enp0s25 -j MASQUERADE
System accepts such rule which is reported when I'm querry: "#firewall-cmd --direct --get-all-rules --zone=external" but nothing changes
Im using Centos 3.10.0-693.5.2.el7.x86_64
I've tried also to insert general direct rule to filter table:
# firewall-cmd --zone=external --direct --add-rule ipv4 filter FORWARD 0 -i enp3s0 -o enp0s25 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Unfortunately, still no result. Only general rule: #firewalld-cmd --zone=external --add-masquerade working but no restriction for address range is possible .
Do I've missed something?
el_jot
I'm still searching solution for selective masquerade under firewalld control. So far without result .
I've tried using direct rule too used as:
#firewall-cmd --zone=external --direct --add-rule ipv4 nat POSTROUTING 0 -m iprange --src-range 192.168.1.10-192.168.1.20 -o enp0s25 -j MASQUERADE
System accepts such rule which is reported when I'm querry: "#firewall-cmd --direct --get-all-rules --zone=external" but nothing changes
Im using Centos 3.10.0-693.5.2.el7.x86_64
I've tried also to insert general direct rule to filter table:
# firewall-cmd --zone=external --direct --add-rule ipv4 filter FORWARD 0 -i enp3s0 -o enp0s25 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Unfortunately, still no result. Only general rule: #firewalld-cmd --zone=external --add-masquerade working but no restriction for address range is possible .
Do I've missed something?
el_jot