I have firewalld working pretty well using direct.xml to route certain accesses from the internal zone to the DMZ and now I want certain DMZ traffic (http) that is directed to the firewall to be rerouted back to the web server inside the DMZ. This is for convenience when making changes in the DMZ it is sometimes nice to open a browser and see if your change worked.
Firewalld seems to be creating the correct iptables command but it does not work.
When I copy and paste the command from the error message into a terminal, it works and does what I want.
direct.xml
has
<rule priority="0" table="mangle" ipv="ipv4" chain="PRE_dmz_allow">-p tcp -d 24.37.79.202 --dport 80 -j MARK --set-mark 600</rule>
<rule priority="0" table="mangle" ipv="ipv4" chain="PRE_dmz_allow">-p tcp -d 24.37.79.202 --dport 443 -j MARK --set-mark 601</rule>
<rule priority="0" table="nat" ipv="ipv4" chain="PRE_dmz_allow">-p tcp -m mark --mark 600 -j DNAT --to-destination 192.168.2.2:80</rule>
<rule priority="0" table="nat" ipv="ipv4" chain="PRE_dmz_allow">-p tcp -m mark --mark 601 -j DNAT --to-destination 192.168.2.2:443</rule>
After firewall-cmd --reload the firewalld log has these errors
2015-02-26 01:07:53 WARNING: COMMAND_FAILED: '/sbin/iptables -t mangle -I PRE_dmz_allow 1 -p tcp -d 24.37.79.202 --dport 80 -j MARK --set-mark 600' failed: iptables: No chain/target/match by that name.
2015-02-26 01:07:53 WARNING: COMMAND_FAILED: '/sbin/iptables -t mangle -I PRE_dmz_allow 1 -p tcp -d 24.37.79.202 --dport 443 -j MARK --set-mark 601' failed: iptables: No chain/target/match by that name.
2015-02-26 01:07:53 WARNING: COMMAND_FAILED: '/sbin/iptables -t nat -I PRE_dmz_allow 1 -p tcp -m mark --mark 600 -j DNAT --to-destination 192.168.2.2:80' failed: iptables: No chain/target/match by that name.
2015-02-26 01:07:53 WARNING: COMMAND_FAILED: '/sbin/iptables -t nat -I PRE_dmz_allow 1 -p tcp -m mark --mark 601 -j DNAT --to-destination 192.168.2.2:443' failed: iptables: No chain/target/match by that name.
If I copy and paste the commands that Firewalld said caused an error they work
[root@firewall0 log]# /sbin/iptables -t nat -I PRE_dmz_allow 1 -p tcp -m mark --mark 601 -j DNAT --to-destination 192.168.2.2:443
[root@firewall0 log]# /sbin/iptables -t nat -I PRE_dmz_allow 1 -p tcp -m mark --mark 600 -j DNAT --to-destination 192.168.2.2:80
[root@firewall0 log]# /sbin/iptables -t mangle -I PRE_dmz_allow 1 -p tcp -d 24.37.79.202 --dport 80 -j MARK --set-mark 600
[root@firewall0 log]# /sbin/iptables -t mangle -I PRE_dmz_allow 1 -p tcp -d 24.37.79.202 --dport 443 -j MARK --set-mark 601
iptable reports
in mangle:
Chain PRE_dmz_allow (1 references)
target prot opt source destination
MARK tcp -- anywhere modemcable202.xxx.ca tcp dpt:https MARK set 0x259
MARK tcp -- anywhere modemcable202.xxx.ca tcp dpt:http MARK set 0x258
in nat:
Chain PRE_dmz_allow (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere mark match 0x258 to:192.168.2.2:80
DNAT tcp -- anywhere anywhere mark match 0x259 to:192.168.2.2:443
which is what I expected and allows servers in the DMX to reference our hosted web sites.
BTW, direct.xml also includes similar rules
<rule priority="0" table="mangle" ipv="ipv4" chain="PRE_internal_allow">-p tcp -d 24.37.79.202 --dport 80 -j MARK --set-mark 500</rule>
<rule priority="0" table="mangle" ipv="ipv4" chain="PRE_internal_allow">-p tcp -d 24.37.79.202 --dport 443 -j MARK --set-mark 501</rule>
<rule priority="0" table="nat" ipv="ipv4" chain="PRE_internal_allow">-p tcp -m mark --mark 500 -j DNAT --to-destination 192.168.2.2:80</rule>
<rule priority="0" table="nat" ipv="ipv4" chain="PRE_internal_allow">-p tcp -m mark --mark 501 -j DNAT --to-destination 192.168.2.2:443</rule>
These work just fine!
Firewalld iptables error
-
ronatartifact
- Posts: 17
- Joined: 2008/11/19 04:41:58
- Location: Montreal
- Contact: