20
2019
05
14:33:53

Firewalld CentOS 7 Masquerading

I'm trying to do the equivalent of this iptables rule in firewalld

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

How can I do this?

6

To set up masquerading on the external zone, type:

# firewall-cmd --zone=external --add-masquerade

external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

For reference:

http://www.certdepot.net/rhel7-get-started-firewalld/

1

You do not use directly rules like that. You simply put your interface (eth0) into external zone, which is already preconfigured in RHEL7/CentOS7 and it has masquerade turned on, or you can enable masquerading on the zone your interface is in. By default it's public. So the correct answer would be either:

# firewall-cmd --zone=public --add-masquerade

or

# firewall-cmd --change-zone=eth0 --zone=external

That is really all you need to do. To enable NAT only for particular subnet or range, you need Rich Rule or Direct rule. That's bit more complex. You can also simply refuse packets for others which seems also an option.

0

Alternatively you can add the rule to your: /etc/firewalld/direct.xml file eg.

<?xml version="1.0" encoding="utf-8"?>
<direct>
...
  <rule priority="0" table="filter" ipv="ipv4" chain="POSTROUTING">-table nat -jump MASQUERADE --source 10.8.0.0/24 --out-interface eth0</rule>  
</direct>

Then:

firewall-cmd --reload




推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

本文链接:https://hqyman.cn/post/758.html 非本站原创文章欢迎转载,原创文章需保留本站地址!

分享到:
打赏





休息一下~~


« 上一篇 下一篇 »

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

请先 登录 再评论,若不是会员请先 注册

您的IP地址是: