Hi All,
I have the following setup:
2 * redhat 7 servers, each has two nics. En016780032 is for the "local lan".
eno33559296 is for conntrackd synchronization. I am not worried about the conntrackd
nic's.
Server1 = 192.168.7.21 local lan
Server2 = 192.168.7.22 local lan
Keepalived vip = 192.168.7.20
This server is used to proxy connections from an internal network, to a remote vendor
network. i.e.
Internal network = 192.168.1.xx
Remote vendor gateway = 192.168.7.160, and it links to various addresses.
Internal network will use the keepalived vip for failover connectivity.
A connection could be like below:
192.168.1.30 -> 192.168.7.20:16076 -> which is forwarded by firewalld to the remote
vendor ip 155.1.1.2:9525 using a rule such as...
rich rules:
rule family="ipv4" forward-port port="16076"
protocol="tcp" to-port="9525" to-addr="155.1.1.2"
this is working fine.
But I have a problem. The vendor nat's our source ip as a single ip as per there
policy. So, they will only accept connections from a single source ip. I have asked if
they can do a "many to one nat" but they will not do this.
The problem is that, either server, will show the source ip as the actual ip address of
the local lan. So connections going out from Server1 will look like they come from
192.168.7.21, and connections from Server2 will look like they come from 192.168.7.22.
This will be a problem if a failover occurs.
To get around this, I'd like to be able to source nat in firewalld any outbound
connections so they appear as if they come from the keepalived vip (.20). I am not sure if
this is possible in a "single interface" setup, like I have, or whether
masquerading could help here (although I think masquerading may just use the ip of the
interface which still wouldn't help me).
I am new to firewalld, so am reaching out for help on whether it's possible to source
nat or masquerade in firewalld as the keepalived vip address?
Appreciate any help on this.
Thanks,
Les