When switching from Centos 6 to Centos 7 a long time ago, I noticed that routing and port forwarding don't behave the same way. Briefly, packets don't keep their source / "upstream" IP address over port forwarding or routing.
Here are some simple examples for servers using OpenVPN VPN tunnels, which use "intermediate" PTP interfaces to do the actual connections for the tunnels. The "local" server is the router/edge/gateway device with a public internet connection, a connection to an internal network, and some VPN tunnels with their associated tunX interfaces and their PTP connections/addresses. Let's use specific examples of NICs on the local server:
eth1 > internet NIC with public IP address, e.g. 7.7.7.7
eth0 > LAN NIC with address 192.168.1.1/24
tun0 > VPN NIC with PTP address 10.1.1.1 , connects to remote server with matching PTP address of 10.1.1.2. Remote server has LAN address of 192.168.9.1/24.
tun1, tun2, tun3 also exist on the local server as OpenVPN tunnels to other locations.
So, a local PC, on the local network, with an IP of 192.168.1.11 can easily ping a remote PC, on the remote network, with an IP of 192.168.9.99. Everything works, all traffic flows as expected.
Under Centos 6:
tcpdump on the remote PC at 192.168.9.99 will show ICMP packets from the local PC coming across tun0, with the IP of the local LAN's PTP IP of 10.1.1.1. I.e., the remote PC will receive pings with the IP address of the VPN NIC on the local server. One can see, on the remote PC, where the packets are coming from. The pings went from the local PC, through the local PC's default gateway, which is the local server's LAN NIC, at 192.168.1.1. The packets were routed through the local server's VPN tun0 at 10.1.1.1 through the VPN NIC on the remote server, at 10.1.1.2, to the remote PC at 192.168.9.99
Under Centos 7:
tcpdump on the remote PC (receiving pings from the local PC) at 192.168.9.99 will show ICMP packets coming from the remote server at 192.168.9.1. Once can't see where the pings came from. One only knows that they came from the remote server itself, or were somehow routed through it.
The same thing happens with port forwarding.
Under Centos 6, the source address of the external host sending packets to an inside host can be seen. E.g. host 8.8.8.8 can be seen sending forwarded ssh packets to an internal host at 192.168.1.11.
Under Centos 7, the internal host only sees the address of the server forwarding the packets. E.g., the packets are seen coming from the server, 192.168.1.1, instead of the external host at 8.8.8.8.
Originally, this was a minor annoyance. Now, however, it is preventing internal Asterisk VMs/boxes from making reliable IAX2 connections to a SIP trunking service.
How can I correct the loss of originating/source IP in forwarding/routing on Centos 7? I have spent a lot of time searching this forum and googling for an answer. I have seen another recent forum request with the same problem.
Some more info:
I have been in the habit of using "out of the box" firewall/routing on both Centos 6 and 7. I don't string together IPTables commands.
Under Centos 6, I would use the simple terminal based "setup" to create basic rules.
Under Centos 7, I generally use the GUI firewall-config, but I certainly know firewall-cmd well enough to use it, in conjunction with the config files in /etc/firewalld, to set up firewalls. I always turn off network-manager, since the NICs don't change, and I don't need another service trying to mess with things. SELinux is always turned off. Masquerading is set per the simple "check-box" option in firewall-config.
Thank You
