All,

 

So under iptables I am able to do things like:

 

*nat

-A PREROUTING -d 204.1.8.6 -j DNAT --to-destination 10.2.1.1

-A POSTROUTING -s 10.2.1.1 -j SNAT --to-source 204.1.8.6

 

-A PREROUTING -d 204.1.8.2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.1.1

-A PREROUTING -d 204.1.8.2 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.1.1

-A PREROUTING -d 204.1.8.3 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.4.1.1

-A PREROUTING -d 204.1.8.3 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.4.1.1

-A POSTROUTING -s 10.0.0.0/8 ! -d 10.0.0.0/8 -j MASQUERADE

 

 

I am at a loss to figure out how to do that under firewalld.

The main intention here is to have a particular incoming addr[:port] be redirected to a particular internal addr[:port] used to have VMs on an internal network (10.x.y.z).

 

The net effect of the above entry is a specific external IP address appears to be a specific internal server, even for outgoing connections while the other internal servers get masqueraded as the primary ip.

 

The piece I cannot seem to find is to tell firewalld-cmd to use a particular destination ip address for incoming requests and NAT that.

I have tried:

 

firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" destination address="204.1.8.6" forward-port to-addr="10.3.1.2" protocol="tcp" port="0-65535"'

 

But that seems to ignore the destination address and instead routes everything for ALL addresses to 10.3.1.2

 

Is there a way with firewall-cmd to only nat traffic coming in to for a particular IP address when there are several IP addresses on the same nic?

 

 

Brian Andrus

ITACS/Research Computing

Naval Postgraduate School

Monterey, California

voice: 831-656-6238