On 25.04.2023 20:39, Volker Bub wrote:
Hello,
I am running a wireguard server with an interface eth0 which is reachable over the
internet. I have added this interface to the zone public and closed all ports except 51820
(Wireguard). This server should serve as a gateway for other servers in the
infrastructure. For this purpose the server has a second interface eth1 that I inserted in
the zone trusted. With the Wireguard configuration I execute the following commands:
PostUp = firewall-cmd --zone=trusted --add-interface=wg0
PostUp = firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i wg0 -o eth1 -j ACCEPT
firewalld allows traffic between interfaces in the same zone by default.
Besides you likely need reverse direction.
PostUp = firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -o
eth1 -j MASQUERADE
PostDown = firewall-cmd --zone=trusted --remove-interface=wg0
PostDown = firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -i wg0 -o eth1 -j
ACCEPT
PostDown = firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -o eth1 -j
MASQUERADE
Access via Wireguard to the complete infrastructure works as well. However, the servers
behind the gateway do not have access to the Internet, which is needed.
My attempts to set up Internet access for the servers behind the gateway all fail. I am
afraid that no communication will be allowed between the trusted and public zones, even if
I include appropriate direct rules. I want all servers behind the gateway to have access
to the Internet exclusively through the gateway server.
How can I implement such a scenario?
You need to enable forwarding for IPv4
(/proc/sys/net/ipv4/ip_forwarding). firewalld does it if configuration
contains masquerading or port forwarding, but you enable masquerading
under the hood and firewalld is not aware of it.
It would be more clean and offer more control to define different zones
for wg0 and eth1 and setup policies for traffic between them.
Masquerading then could be defined in policy eth1 -> wg0.