I wish to configure my centos 7 as a router using firewall-cmd that act some kind of proxy
incoming traffic (port 80)-> centos 7 (forwarder, check dest ip address in blacklist, if match forward to http server) -> HTTP server(listening port 80)which show access denied page.
In networking point of view, dst ip nat to http server ip
If I wish to configure something like that , does my centos 7 need to listen to port 80?
It might not be just limited to port 80 , could be some other ports , then I will check if dest ip address in blacklist
Configuring linux as a forwarder to forward another ip
Re: Configuring linux as a forwarder to forward another ip
You can do all of that with just iptables (and possibly using firewalld). You can also use nginx or httpd as a proxy to forward http requests in which case they would need to be installed and configured.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Configuring linux as a forwarder to forward another ip
I tried to use firewall-cmd but was unsuccessful
Below is the cmd that i tried:
Incoming traffic->VM(192.168.56.101)-> HTTP Server(192.168.56.102)port 80
After I applied, the port is not listening to port 80.
May I know what I have done incorrectly?
Below is the cmd that i tried:
Incoming traffic->VM(192.168.56.101)-> HTTP Server(192.168.56.102)port 80
Code: Select all
firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --add-masquerade --permanent
firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.56.102
firewall-cmd --reload
May I know what I have done incorrectly?
-
- Posts: 2019
- Joined: 2015/02/17 15:14:33
- Location: Bulgaria
- Contact:
Re: Configuring linux as a forwarder to forward another ip
1. You don't need this one:
2. As you don't state a zone, you are using the default one, but are your requests on the same zone ? Is it possible that your receiving interface is on another zone ?
Code: Select all
firewall-cmd --add-port=80/tcp --permanent
Re: Configuring linux as a forwarder to forward another ip
These addresses are on the same subnet? Where is the client?
For DNAT the IP address of the VM is not important.
Typical "forwarding" has:
Code: Select all
clientX--lanA--YrouterZ--lanB--Wserver
* routerZ is the default gateway of lanB
* router does DNAT to-dst W the packets arriving from client to routerY
* router does allow forwarding from lanA to W (and back)
* Wserver sends replies via routerZ
* router's DNAT rule puts routerY as "from" into the replies
The port forwarding in itself does not require masquerade.
Do you have the "typical" setup?
Does the router simply route, or does it have to SNAT (aka masquerade) on its external interface (Y)?
If the latter, then I would start with Y on zone 'external' and Z on zone 'public'.
If client, forwarder, and server are on the same subnet, then server would send replies directly to client, rather than via the forwarder. The client, who did talk to forwarder, would not expect traffic from the server.
There is a way around that (other than routes in the server): the forwarder does SNAT packets that leave towards the server. Thus:
* client thinks that it talks with the forwarder (due to DNAT)
* server thinks that it talks with the forwarder (due to SNAT)