Difference between revisions of "Firewalld"

Port forwarding

firewalld is configured on host12 with two zones: public and dmz

• Public network is configured as 192.168.1.12/24 (would normally be a public IP)
• DMZ network is configured as 172.16.4.12/24

ssh to 192.168.1.12 gets access to host12 as expected because of the default CentOS7 config.

firewall-cmd --zone=public --add-service=ssh

firewalld is configured on host14 with one zone: public - even though the actual interface is connected to the DMZ network.

• Public network is configured as 172.16.4.14/24

Ideally, we want to connect to port 22 on a host12 IP alias and be forwarded to port 22 on host14. This principle can be extended to other services such as http/https so that there's no proxying required.

Add another IP to host12 as an IP alias on the public network (e.g ens33:0), we'll use 192.168.1.14/24 to make it obvious.

ip address add 192.168.1.14/24 dev ens33:0

Now this IP pings but if you ssh to it you'll end up on host12. Add the following two commands and ssh to 192.168.1.14 connects you to host14 instead. ssh to 192.168.1.12 still goes to host12 as expected.

firewall-cmd --zone=public --add-rich-rule="rule family='ipv4' destination address='192.168.1.14' forward-port port='22' protocol='tcp' to-addr='172.16.4.14'"

firewall-cmd --zone=dmz --add-masquerade

I don't know why the masquerading is added to dmz - the examples I've found all have it on the same zone as the forwarding rule, but it didn't work with --zone=public and removing the masquerading from dmz stops the forward working.