I have installed centos on a managed server. For some reasons i decided to install IKEv2 for vnp to connect the vpn-clients to a samba-server also installed on the system.
When I’m connected to the server through vpn, I can access all running services who’s ports are enabled in the firewall public zone, all packages now going through the vpn tunnel.
But for samba i need a (virtual) network behind the public zone, because I don’t want to set the samba ports in the public area. So I installed a virtual ethernet card eth0.5 with the ip address 192.168.7.1, assigned the network card to the internal zone and configured the internal zone in the firewalld to accept smb connections.
Now i configured the firewall to forward my ipsec ports to the “internal” ip address.
firewall-cmd --zone=public --add-forward-port=port=500:proto=udp:toaddr=192.168.7.1
firewall-cmd --zone=public --add-forward-port=port=4500:proto=udp:toaddr=192.168.7.1
But ip forwarding with an ip on the same machine does not work.
I also tried:
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=192.168.7.1
but cant access the webserver.
In an different area, I tried
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=192.168.3.31
but 192.168.3.31 is now an external device(webserver). Portforwarding works and I can access the webserver.
Code: Select all
[root@server ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0.5
IPV6INIT=no
NETBOOT=yes
PHYSDEV=eth0
BROADCAST=192.168.7.255
VLAN=yes
NAME=""
BOOTPROTO=none
MACADDR=""
TYPE=Ethernet
DEVICE=eth0.5
NETMASK=255.255.255.0
MTU=""
IPADDR=192.168.7.1
NETWORK=192.168.7.0
ONBOOT=yes
ZONE=internal
Code: Select all
[root@server ~]# firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: https imaps smtp smtps
ports: 22000/tcp 587/tcp
protocols:
masquerade: yes
forward-ports: port=80:proto=tcp:toport=:toaddr=192.168.7.1
port=500:proto=udp:toport=:toaddr=192.168.7.1
port=4500:proto=udp:toport=:toaddr=192.168.7.1
sourceports:
icmp-blocks:
rich rules:
Code: Select all
[root@server ~]# firewall-cmd --info-zone=internal
internal (active)
target: default
icmp-block-inversion: no
interfaces: eth0.5
sources:
services: http ipsec
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
regards christoph