port forwarding with masquerade

[narutopgm]

Hi,

I have a problem with port forwarding.

I have 1 centos with 3 interfaces :

                internet
                    |
Internal - [centos] - DMZ

I want reach the smtp server on the internal network from DMZ. (smtp is just for the example)

But when i try with this :

Code: Select all

public (default, active)
  interfaces: ens32
  sources:
  services:
  ports:
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:

internal (active)
  interfaces: ens34
  sources:
  services: ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

dmz (active)
  interfaces: ens35
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="192.168.88.11" forward-port port="35" protocol="tcp" to-port="2525" to-addr="192.168.69.20" accept

I have a problem with the return route because 192.168.88.11 is forwarded directly without masquerade.

And if i enable masquerade on Internal i can reach all internal network from dmz, but i don't want that.

It is possible to have masquerade enabled only with port forwarding ?

Ps: Sorry for my english
Thanks

[aks]

Something like:
Make sure routing is enabled (sysctl net.ipv4.ip_forward shoudl return 1)
Take out your rich rule
firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=internal --add-service=smtp
firewall-cmd --zone=dmz --add-forward-port=port=25:proto=tcp:toaddr=192.168.2.20

That should have NAT on external zone, forwarding from DMZ zone port 25 to internal zone port 25 and allow incoming port 25 on internal (25 is SMTP).
You can see more info/examples here: http://docs.fedoraproject.org/en-US/Fed ... g-CLI.html & http://www.certdepot.net/rhel7-get-started-firewalld/

[jensd]

for firewalld, I would need to look up some things.

To do this with iptables:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.202.103:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.202.103 --dport 80 -j SNAT --to-source 192.168.202.128

More information: http://jensd.be/343/linux/forward-a-tcp ... h-iptables

[narutopgm]

Something like:
Make sure routing is enabled (sysctl net.ipv4.ip_forward shoudl return 1)
Take out your rich rule
firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=internal --add-service=smtp
firewall-cmd --zone=dmz --add-forward-port=port=25:proto=tcp:toaddr=192.168.2.20

That should have NAT on external zone, forwarding from DMZ zone port 25 to internal zone port 25 and allow incoming port 25 on internal (25 is SMTP).
You can see more info/examples here: http://docs.fedoraproject.org/en-US/Fed ... g-CLI.html & http://www.certdepot.net/rhel7-get-started-firewalld/

Masquerade is already enabled on public and ip forward too, but without masquerade on Internal network, it's the original IP is forwarded and i don't have any route this ip on my internal network (and i can't this route manually i don't the control on this side)

[narutopgm]

for firewalld, I would need to look up some things.

To do this with iptables:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.202.103:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.202.103 --dport 80 -j SNAT --to-source 192.168.202.128

More information: http://jensd.be/343/linux/forward-a-tcp ... h-iptables

To do that i need to disable FirewallD, did you have another way ?

[aks]

You don't have a route to the node you're trying to connect to?

[narutopgm]

You don't have a route to the node you're trying to connect to?

I have a route to go to Internal from DMZ but i don't have a route for Internal to DMZ.

[aks]

I have a route to go to Internal from DMZ but i don't have a route for Internal to DMZ.

Do you mean that while you can send packets from DMZ to Internal, they can't come back because Internal doesn't have a route and thus can not reply?

[narutopgm]

Exactly

[aks]

I'm guessing here, but there was something called source routing (which was considered a security risk). I seem to recall that that you can specify the return route in the packet you send.
I know Linux can still do source routing (but it is probably disabled by default), but have not done anything like that for so long now, I suggest you have a real old Google about it.