Firewalld - masquerade doesn't work as rich rule

[el_jot]

Hello!
I'm looking for solution regarding masquerade under Centos7 used as rich-rule. Server has 2 NICs - one in internal zone and second one in external zone. Masquerade is configured in external zone of course. When I'm using formula:

#firewalld-cmd --zone=external --add-masquerade

I get such response from system:

root@ama zones]# firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: http ssh
ports: 554/tcp 3390/tcp 50050/tcp 7000/tcp 8000/tcp 40389/tcp 6036/tcp 3389/tcp 6037/tcp
protocols:
masquerade: yes
forward-ports: port=8000:proto=tcp:toport=8000:toaddr=192.168.1.220
port=7000:proto=tcp:toport=7000:toaddr=192.168.1.94
.
.
port=6036:proto=tcp:toport=6036:toaddr=192.168.1.122
sourceports:
icmp-blocks:
rich rules:""

In this case everything working properly from hosts in internal zone (function DNS, ping, browser can open www, etc.)

But in theory -> https://www.rootusers.com/how-to-use-fi ... g-and-nat/ the same result can be obtained with rich-rule

First I can using rich-rule to the whole network in internal zone:

# firewall-cmd --zone=external --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'

and I get response from system:

[root@ama zones]# firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: http ssh
ports: 554/tcp 3390/tcp 50050/tcp 7000/tcp 8000/tcp 40389/tcp 6036/tcp 3389/tcp 6037/tcp
protocols:
masquerade: no
forward-ports: port=8000:proto=tcp:toport=8000:toaddr=192.168.1.220
port=7000:proto=tcp:toport=7000:toaddr=192.168.1.94
.
.
port=6036:proto=tcp:toport=6036:toaddr=192.168.1.122
sourceports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" masquerade

Unfortunately, such configured masquerade doesn't work. I've tried using wider network size (192.168.0.0/24) or only one host (192.168.1.10/32) with positive system response (firewall-cmd --zone=external --list-all) but masquerade doesn't work . I need firewall configuration for some hosts acting only as squid clients for Internet browsing only and masquerade for host from subnet for example for hosts in range 192.168.1.0/26.
Upper mentioned port forwarding is a part of external zone configuration and working without problem.

Do somebody has idea why rich-rule masquerade doesn't work or have another idea how to solve this issue?

el_jot

[el_jot]

Hi!

I'm still searching solution for selective masquerade under firewalld control. So far without result .
I've tried using direct rule too used as:

#firewall-cmd --zone=external --direct --add-rule ipv4 nat POSTROUTING 0 -m iprange --src-range 192.168.1.10-192.168.1.20 -o enp0s25 -j MASQUERADE

System accepts such rule which is reported when I'm querry: "#firewall-cmd --direct --get-all-rules --zone=external" but nothing changes
Im using Centos 3.10.0-693.5.2.el7.x86_64
I've tried also to insert general direct rule to filter table:

# firewall-cmd --zone=external --direct --add-rule ipv4 filter FORWARD 0 -i enp3s0 -o enp0s25 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Unfortunately, still no result. Only general rule: #firewalld-cmd --zone=external --add-masquerade working but no restriction for address range is possible .
Do I've missed something?

el_jot