Firewalld : IP Masquerade

This is configuration example of IP Masquerading on Firewalld. This example is based on the environment like follows. Internet -------------+------------- Gateway|10.0.0.1 | External | enp1s0|10.0.0.30 +------------+------------+ | | | dlp.srv.world | | | +------------+------------+ enp7s0|192.168.0.30 Internal | |

[1]	Change zones for interfaces.

# show current setting [root@dlp ~]#  firewall-cmd --get-active-zone public interfaces: enp1s0 enp7s0 # change zone [root@dlp ~]#  nmcli connection modify enp7s0 connection.zone internal [root@dlp ~]#  nmcli connection modify enp1s0 connection.zone external [root@dlp ~]#  firewall-cmd --get-active-zone external interfaces: enp1s0 internal interfaces: enp7s0

[2]	Set IP Masquerading on External zone. (if set permanently, add [--permanent] or [--runtime-to-permanent] option)

# set IP Masquerading [root@dlp ~]#  firewall-cmd --zone=external --add-masquerade success # confirm setting [root@dlp ~]#  firewall-cmd --zone=external --query-masquerade yes # [ip_forward] is enabled automatically if masquerading is enabled [root@dlp ~]#  cat /proc/sys/net/ipv4/ip_forward 1

[3]	For example, Configure that incoming packets come to 22 port of External zone are forwarded to local 1234 port.

[root@dlp ~]#  firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=1234 success [root@dlp ~]#  firewall-cmd --list-all --zone=external external (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: ssh ports: protocols: forward: yes masquerade: yes forward-ports: port=22:proto=tcp:toport=1234:toaddr= source-ports: icmp-blocks: rich rules:

[4]	For example, Configure that incoming packets come to 22 port of External zone are forwarded to another Host [192.168.0.31] of 22 port.

[root@dlp ~]#  firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=192.168.0.31 success [root@dlp ~]#  firewall-cmd --list-all --zone=external external (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: ssh ports: protocols: forward: yes masquerade: yes forward-ports: port=22:proto=tcp:toport=1234:toaddr= port=22:proto=tcp:toport=22:toaddr=192.168.0.31 source-ports: icmp-blocks: rich rules:

[5]	For example, Configure that outgoing packets through the Server from Internal network [192.168.0.0/24] are allowed and forwarded to the External side.

# set masquerading to internal zone [root@dlp ~]#  firewall-cmd --zone=internal --add-masquerade success [root@dlp ~]#  firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o enp1s0 -j MASQUERADE [root@dlp ~]#  firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp7s0 -o enp1s0 -j ACCEPT [root@dlp ~]#  firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i enp1s0 -o enp7s0 -m state --state RELATED,ESTABLISHED -j ACCEPT