CentOS 7
Sponsored Link

Firewalld : IP Masquerade
2016/04/10
 
It is how to configure IP Masquerading with Firewalld. This exmaples are based on the environment below. 
          ---------+---------
            Gateway|192.168.0.1
                   |
      External     |
               eth1|192.168.0.30
          +--------+---------+
          |                  |
          | dlp.srv.world |
          |                  |
          +--------+---------+
               eth0|10.0.0.30
      Internal     |
[1] Change zones for interfaces.
# show current setting

[root@dlp ~]#
firewall-cmd --get-active-zone 

public
  interfaces: eth0 eth1
# change zone

[root@dlp ~]#
nmcli c mod eth0 connection.zone internal

[root@dlp ~]#
nmcli c mod eth1 connection.zone external
[root@dlp ~]#
firewall-cmd --get-active-zone 

internal
  interfaces: eth0
external
  interfaces: eth1
[2] Set IP Masquerading on External zone.
# set IP Masquerading

[root@dlp ~]#
firewall-cmd --zone=external --add-masquerade --permanent

success
[root@dlp ~]#
firewall-cmd --reload

success
# show setting

[root@dlp ~]#
firewall-cmd --zone=external --query-masquerade

yes
# ip_forward is enabled automatically if masquerading is enabled.

[root@dlp ~]#
cat /proc/sys/net/ipv4/ip_forward

1
[3] For example, Configure that incoming packets come to 22 port of External zone are forwarded to local 1234 port.
(if set permanently, add "--permanent" option)
[root@dlp ~]#
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=1234

success
[root@dlp ~]#
firewall-cmd --list-all --zone=external 

external (active)
  interfaces: eth1
  sources:
  services: ssh
  ports:
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=1234:toaddr=
  icmp-blocks:
  rich rules:
[4] For example, Configure that incoming packets come to 22 port of External zone are forwarded to another Host(192.168.0.31) of 22 port.
[root@dlp ~]#
firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=22:toaddr=192.168.0.31

success
[root@dlp ~]#
firewall-cmd --list-all --zone=external 

external (active)
  interfaces: eth1
  sources:
  services: ssh
  ports:
  masquerade: yes
  forward-ports: port=22:proto=tcp:toport=22:toaddr=10.0.0.31
  icmp-blocks:
  rich rules:
[5] For exmaple, Configure that outgoing packets through the Server from Internal network(10.0.0.0/24) are allowed and forwarded to External side.
# set masquerading to internal zone

[root@dlp ~]#
firewall-cmd --zone=internal --add-masquerade --permanent

success
[root@dlp ~]#
firewall-cmd --reload

success
[root@dlp ~]#
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o eth1 -j MASQUERADE

[root@dlp ~]#
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -j ACCEPT

[root@dlp ~]#
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

 
Tweet