To set up masquerading on the external zone, type:
# firewall-cmd --zone=external --add-masquerade
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
For reference:
You do not use directly rules like that. You simply put your interface (eth0) into external zone, which is already preconfigured in RHEL7/CentOS7 and it has masquerade turned on, or you can enable masquerading on the zone your interface is in. By default it's public. So the correct answer would be either:
# firewall-cmd --zone=public --add-masquerade
or
# firewall-cmd --change-zone=eth0 --zone=external
That is really all you need to do. To enable NAT only for particular subnet or range, you need Rich Rule or Direct rule. That's bit more complex. You can also simply refuse packets for others which seems also an option.
Alternatively you can add the rule to your: /etc/firewalld/direct.xml file eg.
<?xml version="1.0" encoding="utf-8"?> <direct> ... <rule priority="0" table="filter" ipv="ipv4" chain="POSTROUTING">-table nat -jump MASQUERADE --source 10.8.0.0/24 --out-interface eth0</rule> </direct>
Then:
firewall-cmd --reload
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/758.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下~~
发表评论:
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。
ALREADY_ENABLED
. Should that be the case? – Jacob Tomlinson Aug 22 '14 at 12:5810.8.0.0/24
in your config. – Jacob Tomlinson Aug 22 '14 at 13:54