Troubles with firewalld-vpn-port forwarding

Issues related to configuring your network
Post Reply
G0rynyCH
Posts: 2
Joined: 2017/03/21 12:35:08

Troubles with firewalld-vpn-port forwarding

Post by G0rynyCH » 2017/03/21 13:18:04

Hello.
Sorry for my English but I have some trouble with configuring firewalld and need your help.
My server has 2 network interfaces and site to site GRE over IPSEC tunnel with another office

ens192: 136.243.xxx.xxx
ens224: 192.168.100.1

Another office network; 192.168.2.0/24

My zones:

external (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: ipsec openvpn ssh
ports: 4500/tcp 50022/tcp 500/udp 4500/udp 51022/tcp
protocols:
masquerade: yes
forward-ports: port=81:proto=tcp:toport=81:toaddr=192.168.100.10
port=10022:proto=tcp:toport=22:toaddr=192.168.100.10
sourceports:
icmp-blocks:
rich rules:
rule protocol value="ah" accept
rule protocol value="esp" accept


internal (active)
target: default
icmp-block-inversion: no
interfaces: ens224
sources:
services: dhcpv6-client dns ftp http mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:


trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: gre1 tun0
sources:
services:
ports:
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:

Troubles start when I forward port by the rule for example:
firewall-cmd --zone=external --add-forward-port=port=81:proto=tcp:toport=81:toaddr=192.168.100.40 --permanent
firewall-cmd --reload

All work good and I can connect to my internal server from internet ( 136.243.xxx.xxx:81) and from my another office lan (192.168.100.40:81)
But if I try to connect from my office lan to another server ip and same port (for example 192.168.100.30:81) I forward to 192.168.100.40:81 again.


How can I fix this problem?
How can I do next:
If I connect from internet to ip 136.243.xxx.xxx:81 -> firewalld redirect me to 192.168.100.40:81
If I connect from office lan (192.168.2.0/24) to 192.168.100.40:81 -> firewalld get access to 192.168.100.40:81
If I connect from office lan (192.168.2.0/24) to 192.168.100.30:81 -> firewalld get access to 192.168.100.30:81 and doesn't redirect me to 192.168.100.40:81
Top
G0rynyCH
Posts: 2
Joined: 2017/03/21 12:35:08

Re: Troubles with firewalld-vpn-port forwarding

Post by G0rynyCH » 2017/05/11 08:22:48

I have already resolved this problem.
I removed all forward rules and created rich rules with destination address - my external IP.
Top
Post Reply

Return to “CentOS 7 - Networking Support”