All,
So under iptables I am able to do things like:
*nat -A PREROUTING -d 204.1.8.6 -j DNAT --to-destination 10.2.1.1 -A POSTROUTING -s 10.2.1.1 -j SNAT --to-source 204.1.8.6
-A PREROUTING -d 204.1.8.2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.1.1 -A PREROUTING -d 204.1.8.2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.1.1 -A PREROUTING -d 204.1.8.3 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.4.1.1 -A PREROUTING -d 204.1.8.3 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.4.1.1 -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MASQUERADE
I am at a loss to figure out how to do that under firewalld. The main intention here is to have a particular incoming addr[:port] be redirected to a particular internal addr[:port] used to have VMs on an internal network (10.x.y.z).
The net effect of the above entry is a specific external IP address appears to be a specific internal server, even for outgoing connections while the other internal servers get masqueraded as the primary ip.
The piece I cannot seem to find is to tell firewalld-cmd to use a particular destination ip address for incoming requests and NAT that. I have tried:
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" destination address="204.1.8.6" forward-port to-addr="10.3.1.2" protocol="tcp" port="0-65535"'
But that seems to ignore the destination address and instead routes everything for ALL addresses to 10.3.1.2
Is there a way with firewall-cmd to only nat traffic coming in to for a particular IP address when there are several IP addresses on the same nic?
Brian Andrus ITACS/Research Computing Naval Postgraduate School Monterey, California voice: 831-656-6238