I'm currently working on moving toward firewalld and away from iptables as the front end for managing netfilter on some hosts including hosts which act as routers which are performing NAT.
This work & study has prompted some questions which I'm not sure about the answers.
The questions will be based on the following test setup.
CentOS 7.x host with the following interfaces
eth0(1.1.1.1) in the zone public.
br0 (192.168.10.1/24) in the zone internal
There are virtual hosts which are running in KVM which are also in the 192.168.10.0/24 space and use 192.168.10.1 as their default gateway.
My questions are as follows.
Assuming I wish to enable source nat / masquerade from the private subnet 192.168.10.0 to the general internet the packet flows from the internal zone to the public zone.
On the redhat docs at section 5.3.1.9 it says
I'm using the cli tool rather than gui however I understand this to mean that you enable masquerade on for the zone which is internal in this example. This has not worked for me, However when I enable masquerade on the outbound zone (public) it works fine I can ping out etc etc.To translate IPv4 addresses to a single external address, start the firewall-config tool and select the network zone whose addresses are to be translated. Select the Masquerading tab and select the check box to enable the translation of IPv4 addresses to a single address.
My main reason for seeking clarification on this is i'm starting to prepare for RHCSA and I want to make sure my understanding of this topic is correct.
Secondly with IPtables I was able to configure the following destination nat config which I have not managed to replicate in firewalld yet.
Table:NAT Chain:Prerouting destination-address:1.1.1.1 protocol tcp destination port 80 action:dnat to 192.168.10.14 (Say an internal webserver)
Table:Filter Chain:Forwarding source-address:2.2.2.2 destination-address:1.1.1.1 protocol tcp destination port 80 action:drop (I want to block this one ip)
Table:Filter Chain:Forwarding destination-address:1.1.1.1 protocol tcp destination port 80 action:accept (allow everyone else)
Here I can see the packet flow from the nat table to the filter table and apply different rules at different stages.
In firewalld I've been able to get the port-forwarding working correction without any issue but I thought I'd be able to apply some rules as the packet flowed from the public zone to the internal zone however when I setup deny rules to test on the internal zone it appears they don't get hit.
I know this could be done with direct rules which effectively allow me to use iptables rules within firewalld's interface however before I go down that path I want to make sure it's not that I need to change the way I look at the firewall operation.
does a packet flow from one zone to another so I know the rules are based on the source so i'd infer that means as it enters a zone, Does this mean in a destination nat example it get's examined on the entering the public zone from the interface and then again on the ingress to the internal zone as it leaves the public zone after being nat'd
I hope I've managed to explain my questions clearly.
Many thanks in advance to anyone who takes the time to read this.
Cheers
Mark