All,
So under iptables I am able to do things like:
*nat -A PREROUTING -d 204.1.8.6 -j DNAT --to-destination 10.2.1.1 -A POSTROUTING -s 10.2.1.1 -j SNAT --to-source 204.1.8.6
-A PREROUTING -d 204.1.8.2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.1.1 -A PREROUTING -d 204.1.8.2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.1.1 -A PREROUTING -d 204.1.8.3 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.4.1.1 -A PREROUTING -d 204.1.8.3 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.4.1.1 -A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MASQUERADE
I am at a loss to figure out how to do that under firewalld. The main intention here is to have a particular incoming addr[:port] be redirected to a particular internal addr[:port] used to have VMs on an internal network (10.x.y.z).
The net effect of the above entry is a specific external IP address appears to be a specific internal server, even for outgoing connections while the other internal servers get masqueraded as the primary ip.
The piece I cannot seem to find is to tell firewalld-cmd to use a particular destination ip address for incoming requests and NAT that. I have tried:
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" destination address="204.1.8.6" forward-port to-addr="10.3.1.2" protocol="tcp" port="0-65535"'
But that seems to ignore the destination address and instead routes everything for ALL addresses to 10.3.1.2
Is there a way with firewall-cmd to only nat traffic coming in to for a particular IP address when there are several IP addresses on the same nic?
Brian Andrus ITACS/Research Computing Naval Postgraduate School Monterey, California voice: 831-656-6238
On 10/07/2014 03:35 AM, Andrus, Brian Contractor wrote:
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" destination address="204.1.8.6" forward-port to-addr="10.3.1.2" protocol="tcp" port="0-65535"'
But that seems to ignore the destination address and instead routes everything for ALL addresses to 10.3.1.2
This should work with: https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=196cac1861c90be59...
$ firewall-cmd --add-rich-rule='rule family="ipv4" destination address="1.1.1.1" forward-port port="11" protocol="tcp" to-addr="2.2.2.2" to-port="22"'
now creates:
*mangle -A PRE_public_allow -d 1.1.1.1/32 -p tcp -m tcp --dport 11 -j MARK --set-xmark 0x66/0xffffffff
*nat -A PRE_public_allow -p tcp -m mark --mark 0x66 -j DNAT --to-destination 2.2.2.2:22
*filter -A FWDI_public_allow -m conntrack --ctstate NEW -m mark --mark 0x66 -j ACCEPT
I'm going to release 0.3.12 these days so you'll be able to test it.
-- Jiri
firewalld-users@lists.fedorahosted.org