firewalld - pass traffic through firewall with firewall-cmd
firewalld - pass traffic through firewall with firewall-cmd
Hi,
I have som problems to understand the iptables konfiguration. I want to forward some traffic through the centos 7 firewall.
There must be no NAT, because all addresses are public addresses.
Setup:
Internet -> LAN A <- |IF:enp0s25<-Centos7 GW-> IF:enp3s2| -> LAN B -> (DMZ)
I try to realize:
a) allow incoming traffic on enp0s25 from any address to LAN_B_IP1/2 (on enp3s2) on Port 80:
b) allow outgoing from $LAN_B_IP3/4 connect to any adresses on port 25.
I'm not shure how it works with firewall-cmd.
THX,
tom
I have som problems to understand the iptables konfiguration. I want to forward some traffic through the centos 7 firewall.
There must be no NAT, because all addresses are public addresses.
Setup:
Internet -> LAN A <- |IF:enp0s25<-Centos7 GW-> IF:enp3s2| -> LAN B -> (DMZ)
I try to realize:
a) allow incoming traffic on enp0s25 from any address to LAN_B_IP1/2 (on enp3s2) on Port 80:
b) allow outgoing from $LAN_B_IP3/4 connect to any adresses on port 25.
I'm not shure how it works with firewall-cmd.
THX,
tom
Re: firewalld - pass traffic through firewall with firewall-
It kind of sounds like you need to use the rich rules syntax see: https://fedoraproject.org/wiki/Features ... chLanguage
A simpler solution is in stead of using the interface name, use the IP addresses of the the interface (so say the address of enp0s25) this also means uf later you change hardware, the firewall can "follow" the hardware change. As a further clue, "any address" is 0.0.0.0/0
A simpler solution is in stead of using the interface name, use the IP addresses of the the interface (so say the address of enp0s25) this also means uf later you change hardware, the firewall can "follow" the hardware change. As a further clue, "any address" is 0.0.0.0/0
Re: firewalld - pass traffic through firewall with firewall-
I try:
which generate an iptables rule:
but it does not work.
tcpdump showing only the incoming SYN connection:
(yes, forwarding is on and it works if I turn iptables off)
I dont understand, what happen.
Code: Select all
firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP1" service name="http" accept'
Code: Select all
-A IN_public_allow -d $LAN_B_IP1/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
tcpdump showing only the incoming SYN connection:
Code: Select all
[root@lb1 ~]# tcpdump -npi enp0s25 host $LAN_B_IP1
11:27:17.083739 IP x.x.x.x.44946 > $LAN_B_IP1.http: Flags [S], seq 2033291673, win 29200, options [mss 1460,sackOK,TS val 831795331 ecr 0,nop,wscale 7], length 0
11:27:17.083819 IP x.x.x.x.1.44947 > $LAN_B_IP1.http: Flags [S], seq 1641215505, win 29200, options [mss 1460,sackOK,TS val 831795331 ecr 0,nop,wscale 7], length 0
11:27:17.086700 IP x.x.x.x.44948 > $LAN_B_IP1.http: Flags [S], seq 2621696850, win 29200, options [mss 1460,sackOK,TS val 831795334 ecr 0,nop,wscale 7], length 0
Code: Select all
firewall-cmd --get-active-zones
public
interfaces: enp0s25 enp3s2
Code: Select all
firewall-cmd --zone=public --list-all
public (default, active)
interfaces: enp0s25 enp3s2
sources:
services: dhcpv6-client high-availability ssh
ports: 4711/tcp 443/tcp 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP1/32" service name="http" accept
I dont understand, what happen.
Re: firewalld - pass traffic through firewall with firewall-
If I use:
I can connect to $LAN_B_IP1, but if if I try $LAN_B_IP2 I will be routed to $LAN_B_IP1.
Code: Select all
firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP1" forward-port to-addr="$LAN_B_IP1" to-port="80" protocol="tcp" port="80"'
firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP2" forward-port to-addr="$LAN_B_IP2" to-port="80" protocol="tcp" port="80"'
Code: Select all
iptables -t nat -L|grep LAN_B
DNAT tcp -- anywhere anywhere mark match 0x64 to:$LAN_B_IP1:80
DNAT tcp -- anywhere anywhere mark match 0x65 to:$LAN_B_IP2:80
Re: firewalld - pass traffic through firewall with firewall-
You don't need a source address here. You certainly don't need "any" address as the packet is already "in" the router - otherwise it could not exit the outbound interface. If you want to put in a source address, the IP address of the exit interface would be more appropriate. The "any" address is generally used to allow packets from a large or not easy to summarize network (like the Internet) inbound access.firewall-cmd --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" destination address="$LAN_B_IP1" service name="http" accept'
This will only allow new connection to the port. From https://help.ubuntu.com/community/IptablesHowTo:-A IN_public_allow -d $LAN_B_IP1/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
--ctstate - Define the list of states for the rule to match on. Valid states are:
NEW - The connection has not yet been seen.
RELATED - The connection is new, but is related to another connection already permitted.
ESTABLISHED - The connection is already established.
INVALID - The traffic couldn't be identified for some reason
Perhaps restart the firewall and then reconduct your tests?
I'm not sure what this means. Do you mean you don't have load balancing across your two IP addresses connected to a single network?I can connect to $LAN_B_IP1, but if if I try $LAN_B_IP2 I will be routed to $LAN_B_IP1.
I though you didn't want to use NAT?iptables -t nat -L|grep LAN_B
DNAT tcp -- anywhere anywhere mark match 0x64 to:$LAN_B_IP1:80
DNAT tcp -- anywhere anywhere mark match 0x65 to:$LAN_B_IP2:80
Re: firewalld - pass traffic through firewall with firewall-
This is not enough, traffic is still blocked.-A IN_public_allow -d $LAN_B_IP1/32 -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
Forget this rule, it was just a test and yes I dont need NAT.I though you didn't want to use NAT?Code: Select all
iptables -t nat -L|grep LAN_B DNAT tcp -- anywhere anywhere mark match 0x64 to:$LAN_B_IP1:80 DNAT tcp -- anywhere anywhere mark match 0x65 to:$LAN_B_IP2:80
The only thing I want is to reach directly the 2 (or n) webserver behind the centos 7 box from outside. No NAT, just plain routing through.I'm not sure what this means. Do you mean you don't have load balancing across your two IP addresses connected to a single network?.I can connect to $LAN_B_IP1, but if if I try $LAN_B_IP2 I will be routed to $LAN_B_IP1
Re: firewalld - pass traffic through firewall with firewall-
Okay, let's put some IP addresses on this - you don't have to use your real addresses but it maybe easier if you use the same subnet masks as you plan to.
Also please provide output of:
ip addr sh
ip route sh
iptables -L
firewall-cmd --list-all
A list of any network devices between both endpoints.
Also please provide output of:
ip addr sh
ip route sh
iptables -L
firewall-cmd --list-all
A list of any network devices between both endpoints.
Re: firewalld - pass traffic through firewall with firewall-
And also ss -ant | grep 80 # on the target machine just to confirm we have a listener there
Re: firewalld - pass traffic through firewall with firewall-
The order of rules in iptables is significant. When a rule is matched the processor will not compare others. That is why I want to see your current chains.