Port forwarding on interface with multiple addresses
by Peter Hoogendijk
For several days I've been searching for the correct way to implement port forwarding based on the IP address of the interface (one interface with two addresses: 172.16.1.15 and 172.16.1.16). With iptables I would use the following rules to forward traffic to two different web server implementations:
iptables -A PREROUTING -t nat -p tcp --dst 172.16.1.15 --dport 443 -j REDIRECT --to-port 8015
iptables -A PREROUTING -t nat -p tcp --dst 172.16.1.16 --dport 443 -j REDIRECT --to-port 8016
What would be the right way to translate this iptables situation into a firewalld configuration? In the documentation about port forwarding there is no way to specify "--dst". The documentation about services shows a way to specify this as "destination" but no way to specify port forwarding. So after searching for several days I decided the I'm now past the RTFM phase :-).
Kind regards, Peter Hoogendijk.
3 years, 10 months
Cannot reach dmz from internal
by Jack.R
Dear All
I am new to firewalld so I probably do not have understand all.
I have a firewall with 3 interfaces: external connected to wan,
internal connected to lan and dmz connected to a server which host web
server, mail server (fixed IP 192.168.8.3).
Firewalld configuration is as follow:
firewall-cmd --zone=internal --list-all
internal (active)
target: default
icmp-block-inversion: no
interfaces: enx000ec68f6b7d
sources:
services: dhcp dhcpv6-client dns http https imap imaps mdns nfs ntp
pop3 pop3s smtp smtps ssh ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --zone=external --list-all
external (active)
target: default
icmp-block-inversion: no
interfaces: enxb827ebe2899e
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports: port=80:proto=tcp:toport=:toaddr=192.168.8.3
port=443:proto=tcp:toport=:toaddr=192.168.8.3
port=143:proto=tcp:toport=:toaddr=192.168.8.3
port=993:proto=tcp:toport=:toaddr=192.168.8.3
port=995:proto=tcp:toport=:toaddr=192.168.8.3
port=110:proto=tcp:toport=:toaddr=192.168.8.3
port=25:proto=tcp:toport=:toaddr=192.168.8.3
port=465:proto=tcp:toport=:toaddr=192.168.8.3
port=587:proto=tcp:toport=:toaddr=192.168.8.3
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --zone=dmz --list-all
dmz (active)
target: default
icmp-block-inversion: no
interfaces: enx00e04c36084a
sources:
services: dhcp dns ntp ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
From a computer in the LAN, I can ping the DMZ server but I cannot ssh
into it.
FINAL_REJECT: IN=enx000ec68f6b7d OUT=enx00e04c36084a
MAC=00:0e:c6:8f:6b:7d:30:85:a9:0e:22:56:08:00 SRC=192.168.65.14
DST=192.168.8.3 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32158 DF PROTO=TCP
SPT=32770 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
If I turn off Firewalld I can ssh into it. This means I have done a
mistake in my configuration but I did not find it.
After reading docs and trying different things, including rich-rule like
firewall-cmd --zone=internal --add-rich-rule='rule family="ipv4" source
address="192.168.65.0/24" accept'
I am still stucked.
Could someone point me in the right direction ?
--
Jack.R
3 years, 11 months
Outgoing traffic and zones
by Steven Moyse
From my reading and experiments it seems that I cannot block outgoing traffic for a particular zone or device.
I ask because I would like to connect to A VPN, then allow only ssh and DNS traffic to that VPN.
Other traffi
I can do this using the direct interface, but the rules apply globally not just to the zone.
This command will create a rule that disables all outgoing connections despite seeming to support the zone argument.
firewall-cmd --zone=myvpn --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
So if someone could please confirm that what I am asking is not possible.
Thanks
3 years, 11 months
update timeout of an ipset entry
by alvaro
I have been trying to figure out how to update the timeout of an ipset entry, with no luck so far, when using native ipset I would just simply use:
$ ipset add foo 192.168.0.5 -exist
but firewalld doesn't seems to implement this feature according to the manual (man), which is a pretty useful and common.
ip2ban seems to bypass firewalld ipset implmentation and just use it natively, so have I tried but with no success:
ipset creation:
ipset create foo hash:ip timeout 300
direct rule:
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p TCP -m multiport --dports 22,443 -m set --match-set foo src -j ACCEPT
ipset add
ipset add foo 192.120.11.1
https requests and ssh connection attemp are dropped with no route to host.
as soon as I disable firwalld i can succeffule send request and connecto to ssh.
* I'm using the default zone:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --direct --get-all-rules:
ipv4 filter INPUT 0 -p TCP -m multiport --dports 22,443 -m set --match-set foo src -j ACCEPT
what I'm doing wrong, is this possible with firewalld?
thanks in advance
remember to take care of yourself (stay home, wash your hands and so on)
3 years, 11 months