We are going to configure RHEL server as a router. Masquerading, port forwarding, rich and direct rules will be covered.
The Lab
We have three RHEL 7.0 servers available in our lab:
- ipa (10.10.1.79, 10.8.8.70) – will be configured as a router,
- srv1 (10.8.8.71) – a server on our DMZ network, will be used to test masquerading,
- pub (10.10.1.10) – a server on our public network, will be used to test port forwarding.
The ipa server has SELinux set to enforcing mode.
Network Interfaces on the Router Server
The ipa server has two network interfaces attached and configured:
# nmcli d DEVICE TYPE STATE CONNECTION enp0s17 ethernet connected enp0s17 enp0s8 ethernet connected enp0s8 lo loopback unmanaged --
The enp0s8 is connected to our “public” network 10.10.1.0/24, where enp0s17 is connected to DMZ 10.8.8.0/24.
# ip -4 ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 10.10.1.79/24 brd 10.10.1.255 scope global dynamic enp0s8
valid_lft 86376sec preferred_lft 86376sec
3: enp0s17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 10.8.8.70/24 brd 10.8.8.255 scope global dynamic enp0s17
valid_lft 3583sec preferred_lft 3583sec
Routing table can be seen below:
# ip ro default via 10.10.1.1 dev enp0s8 proto static metric 1024 10.8.8.0/24 dev enp0s17 proto kernel scope link src 10.8.8.70 10.10.1.0/24 dev enp0s8 proto kernel scope link src 10.10.1.79
Exclude all iptables-based services from ever being started:
# systemctl mask iptables ip6tables ebtables ln -s '/dev/null' '/etc/systemd/system/iptables.service' ln -s '/dev/null' '/etc/systemd/system/ip6tables.service' ln -s '/dev/null' '/etc/systemd/system/ebtables.service'
There is apparently a bug in RHEL 7.1 and RHEL 7.2 that prevents the iptables service from being masked if the package iptables-services is not installed:
[rhel7.1]# systemctl mask iptables Failed to issue method call: Access denied
[rhel7.1]# cat /var/log/audit/audit.log
type=USER_AVC msg=audit(1468920066.358:447): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { disable } for auid=0 uid=0 gid=0 cmdline="systemctl mask iptables ip6tables ebtables" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
The version of the policy that has a bug is this:
[rhel7.1]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-23.el7.noarch
[rhel7.2]# rpm -q selinux-policy-targeted selinux-policy-targeted-3.13.1-60.el7.noarch
Installing the iptables-services package, or putting SELinux in to permissive mode, allows masking of iptables service on RHEL 7.1 and RHEL 7.2.
Firewalld Default Zone
Both network interfaces should be added to the zone public:
# firewall-cmd --get-active-zones public interfaces: enp0s17 enp0s8
It should be the default zone:
# firewall-cmd --get-default-zone public
We still want to set the default zone to public (so that we know how to change it), and assign the interface enp0s17 to the zone dmz.
Set the default firewall zone to public, remove the network interface enp0s17 from the zone public and add to the zone dmz.
# firewall-cmd --set-default-zone=public # firewall-cmd --remove-interface=enp0s17 --zone=public # firewall-cmd --permanent --add-interface=enp0s17 --zone=dmz
A permanent configuration requires a reload of the firewall configuration to work as expected:
# firewall-cmd --reload
Let us see the actives zones:
# firewall-cmd --get-active-zones dmz interfaces: enp0s17 public interfaces: enp0s8
Make sure that zones are correctly set in the network scripts:
# nmcli con mod enp0s8 connection.zone public # nmcli con mod enp0s17 connection.zone dmz # nmcli c reload
Custom Firewalld Services
This part shows the way we can create custom firewalld services. We are going to create one for iSCSI target.
Copy one of the existing firewalld service configuration files, say for SSH:
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/iscsi-target.xml
Open the file /etc/firewalld/services/iscsi-target.xml for editing, and put the following:
<?xml version="1.0" encoding="utf-8"?> <service> <short>iSCSI Target</short> <description>iSCSI target.</description> <port protocol="tcp" port="3260"/> </service>
The newly created firewalld service can be added to the zone dmz this way:
# firewall-cmd --permanent --zone=dmz --add-service iscsi-target
More services depending on requirements can be also added, for example:
# firewall-cmd --permanent --zone=dmz --add-service={http,https,ldap,ldaps,kerberos,dns,kpasswd,ntp,ftp}
# firewall-cmd --reload
List all services that are added to the zone dmz:
# firewall-cmd --list-services --zone=dmz dns ftp http https iscsi-target kerberos kpasswd ldap ldaps ntp ssh
List all services that are added to the zone public:
# firewall-cmd --list-services --zone=public dhcpv6-client
Packet Forwarding
To configure routing, the server needs to forward incoming packets from one interface to another interface.
Create a new file /etc/sysctl.d/ip_forward.conf and add the following:
net.ipv4.ip_forward=1
The above makes the change permanent. Now change the runtime value:
# sysctl -w net.ipv4.ip_forward=1
Routing with Rich Rules
In general, all we have to do is to enable masquerading on the public interface. The command below masquerades packets coming from all hosts in the zone public:
# firewall-cmd --permanent --zone=public --add-masquerade # firewall-cmd --reload
In other words, the above allows all traffic to leave from the zone dmz to the zone public.
The easy way to test this is to try to access some public website from any VM that resides in the dmz network 10.8.8.0/24. We have a server srv1 that’s on 10.8.8.71, and it has the default route going via 10.8.8.70:
[srv1]# ip ro
default via 10.8.8.70 dev mybond0 proto static metric 1024
10.8.8.0/24 dev mybond0 proto kernel scope link src 10.8.8.71
If we were to try to get access to example.com with masquerading disabled, we would have the following:
[srv1]# wget -O - http://example.com
--2016-06-18 17:47:30-- http://example.com/
Resolving example.com (example.com)... 93.184.216.34
Connecting to example.com (example.com)|93.184.216.34|:80... failed: No route to host.
When masquerading on the zone public is enabled, we can access the site:
[srv1]# wget http://example.com Resolving example.com (example.com)... 93.184.216.34 Connecting to example.com (example.com)|93.184.216.34|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1270 (1.2K) [text/html] Saving to: 'index.html' 100%[================================>] 1,270 --.-K/s in 0s 2016-06-18 17:50:19 (129 MB/s) - 'index.html' saved [1270/1270]
If we need some more control over which packets exactly are masqueraded, we can add a rich rule that matches packets coming from specific source addresses only, for example:
# firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=10.8.8.0/24 masquerade' # firewall-cmd --reload
Let us check the rich rule:
# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: enp0s8
sources:
services: dhcpv6-client
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.8.8.0/24" masquerade
Routing with Direct Rules
Routing can also be achieved with direct rules. However, the firewalld man page says that direct options should be used only as a last resort when it’s not possible to use for example –add-rich-rule=’rule’.
The syntax is below:
[--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
Add a rule with the arguments args to chain chain in table table with priority priority.
The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority
the rule will be added further down. Rules with the same priority are on the same level and the order of
these rules is not fixed and may change. If you want to make sure that a rule will be added after another
one, use a low priority for the first and a higher for the following.
To allow our dmz (enp0s17) network VMs with private IP addresses to communicate with external networks, we have to configure firewall for IP masquerading:
# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o enp0s8 -j MASQUERADE
Forward all ICMP requests from the zone dmz (enp0s17) to the zone public (enp0s8):
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 \ -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Do the same for all HTTP and HTTPS traffic:
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 \ -p tcp -m multiport --dport 80,443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Also allow access to public SMTP and SMTPS servers:
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 \ -p tcp -m multiport --dport 25,465 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Allow to SSH into public servers:
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 \ -p tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Log everything else:
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 \ -j LOG --log-prefix "forward_fw "
Optional, but not really required:
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 -j REJECT
Reload:
# firewall-cmd --reload
Check the direct rules:
# firewall-cmd --direct --get-all-rules ipv4 nat POSTROUTING 0 -o enp0s8 -j MASQUERADE ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 -p tcp -m multiport --dport 80,443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 -p tcp -m multiport --dport 25,465 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 -p tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT ipv4 filter FORWARD 0 -i enp0s17 -o enp0s8 -j LOG --log-prefix 'forward_fw '
We can use the same server srv1 to test the rules above. Anything that doesn’t match should be blocked and logged. For example, let us try to access example.com via FTP:
[srv1]# wget -O - ftp://example.com
--2016-06-18 18:13:49-- ftp://example.com/
=> ‘.listing’
Resolving example.com (example.com)... 93.184.216.34
Connecting to example.com (example.com)|93.184.216.34|:21... failed: No route to host.
And the log entry should be:
forward_fw IN=enp0s17 OUT=enp0s8 MAC=08:00:27:ff:70:00:08:00:27:ff:81:00:08:00 SRC=10.8.8.71 DST=93.184.216.34 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10304 DF PROTO=TCP SPT=34579 DPT=21 WINDOW=14600 RES=0x00 SYN URGP=0
Rich Rules and Port Forwarding
We may want to access servers that reside on the dmz network (10.8.8.0/24) from the public (10.10.1.0/24) over SSH. To do so, we need to put some port forwarding rules.
The rules below configure port forwarding so that connections to 10.10.1.79:2271 are forwarded to 10.8.8.71:22, and SSH logging.
# firewall-cmd --permanent --zone=public --add-forward-port='port=2271:proto=tcp:toport=22:toaddr=10.8.8.71' # firewall-cmd --permanent --zone=public --add-rich-rule='rule service name=ssh log prefix="SSH_" level="debug" limit value=1/m reject' # firewall-cmd --reload
Let us see the rules:
# firewall-cmd --list-all --zone=public
public (default, active)
interfaces: enp0s8
sources:
services: dhcpv6-client
ports:
masquerade: yes
forward-ports: port=2271:proto=tcp:toport=22:toaddr=10.8.8.71
icmp-blocks:
rich rules:
rule service name="ssh" log prefix="SSH_" level="debug" limit value="1/m" reject
To test port forwarding, we need some server that’s in the public network (10.10.1.0/24):
[pub]$ ssh [email protected] -p2271 The authenticity of host '[10.10.1.79]:2271 ([10.10.1.79]:2271)' can't be established. ECDSA key fingerprint is 32:e6:80:ec:ec:3e:d0:6a:7b:78:bf:6e:79:90:8f:2d. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[10.10.1.79]:2271' (ECDSA) to the list of known hosts. [email protected]'s password: Last login: Sat Jun 18 17:29:59 2016 from 10.8.8.1
Static Routes
If we need to create a static route to test something, you we can do so with a single bash command, for example:
# ip route add 10.8.9.0/24 via 10.8.8.70 dev enp0s17
Hi Tomas, sorry to bother you again on another topic…
Port forwarding – from the firewall man page –
–add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
It seems to me the “toaddr=address/mask” is conflicting with line below in the same man page
“The port can either be a single port number portid or a port range portid-portid. The protocol can
either be tcp or udp. The destination address is a simple IP address.”
:::::
So for example, is this an invalid destination address “10.10.1.0/24” ?
Should it be a specific simple IP address?
It shouldn’t even allow you to create a port forwarding rule if I use a mask of anything but /32.
The man page is correct, it is a simple IP address.
Hey Tomas, the last question: should I enable anything to make firewalld direct rules work? any module?
The following one is not working, maybe its not correct:
[root@server1 ~]# firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -s 192.168.0.103 -p tcp –dport 2222 reject
success
[root@server1 ~]# firewall-cmd –direct –get-all-rules
[root@server1 ~]#
You added the rule to the permanent set. Reload firewalld.
tried that, of course
I use direct rules for routing, but never for filtering incoming traffic (that’s what you seem to want to do) as this can be easily achieved with firewalld rich rules. Let me know if you figure it out.
I tried using http with rich-rule and source address method for one ip in defferent zone.
But I always get Failed connect – ; No route to host
What I am doing wrong here ??
——————case1
[root@csrv176 ~]# firewall-cmd –permanent –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.1.175/32″ service name=”http” log prefix=”http_from_x” level=”info” limit value=”30/m” accept’ –zone=work
success
[root@csrv176 ~]# firewall-cmd –permanent –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.1.175″ service name=”http” log prefix=”http_from_y” level=”info” limit value=”30/m” accept’ –zone=work
success
[root@csrv176 ~]# firewall-cmd –reload
success
[root@csrv176 ~]# firewall-cmd –list-all –zone=work
work
interfaces:
sources:
services: dhcpv6-client ipp-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.175/32″ service name=”http” log prefix=”http_from_x” level=”info” limit value=”30/m” accept
rule family=”ipv4″ source address=”192.168.1.175″ service name=”http” log prefix=”http_from_y” level=”info” limit value=”30/m” accept
——————-case2
[root@csrv176 ~]# firewall-cmd –new-zone=sphttp –permanent
[root@csrv176 ~]# firewall-cmd –permanent –add-source=192.168.1.175 –zone=sphttp
success
[root@csrv176 ~]# firewall-cmd –permanent –add-source=192.168.1.175/32 –zone=sphttp
success
[root@csrv176 ~]# firewall-cmd –reload
success
[root@csrv176 ~]# firewall-cmd –list-all –zone=sphttp
sphttp
interfaces:
sources: 192.168.1.175 192.168.1.175/32
services: http
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
———————–error
[root@csrv175 ~]# curl http:// 192.168.1.176
curl: (7) Failed connect to 192.168.1.176:80; No route to host
I don’t see any interfaces assigned to the zone.
By default it is only assigned to default public zone. Can we assign the same interface to more then one zone ? If so then how can we use other zones like internal,work etc..
I thought It is good idea not to keep interface into the same zone to make it more secure
e.g. to make ssh to only certain ips I create new zone “exam” for ssh, add source ips, remove ssh from pubic. No interface assigned to this zone to not override source IPs.
The result of this will be a “exam” zone which permits access to ssh, but only from given IP addresses. This works fine. but it didn’t work for http.
Here is the info.
[root@csrv176 ~]# firewall-cmd –get-active-zones
sphttp
sources: 192.168.1.175 192.168.1.175/32
public
interfaces: eno16777736 eno33554960 eno50332184 team1
exam
sources: 192.168.1.0/24
[root@csrv176 ~]# firewall-cmd –list-all –zone=public
public (default, active)
interfaces: eno16777736 eno33554960 eno50332184 team1
sources:
services: dhcpv6-client
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
root@csrv176 ~]# firewall-cmd –list-all –zone=exam
exam
interfaces:
sources: 192.168.1.0/24
services: ssh
ports: 2022/tcp
masquerade: no
forward-ports: port=2022:proto=tcp:toport=22:toaddr=
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.175″ service name=”ssh” log prefix=”ssh-reject” level=”info” limit value=”3/m” reject
rule family=”ipv4″ source address=”192.168.1.170″ service name=”ssh” log prefix=”ssh-reject” level=”info” limit value=”3/m” reject
——————————————
My understanding/reading says:
———————————————-
Traffic sources can be designated in two ways: By interface, or by source IP address. Traffic that matches any source passes this check. A firewalld zone defined with only source addresses and without interfaces will apply to all traffic from those addresses, regardless of which interface it came in.
– is the packet coming from a source already bound to a zone? (if yes, it is associated with this zone),
– if not, is the packet coming from a network interface already bound to a zone? (if yes, it is associated with this zone),
– if not, the packet is associated with the default zone.
Ah, OK, I see what you mean. Yea, it would be the same with iptables rules that apply to all interfaces.
I only want to add my observation, but still looking for the answer
-Zone become active if you add source, service to the zone. So my second case 2 should work
as it appears in active zone list.
[root@csrv176 ~]# firewall-cmd –get-active-zones
sphttp
sources: 192.168.1.175 192.168.1.175/32
public
interfaces: eno16777736 eno33554960 eno50332184 team1
exam
sources: 192.168.1.0/24
[root@csrv176 ~]# firewall-cmd –list-all –zone=sphttp
sphttp
interfaces:
sources: 192.168.1.175 192.168.1.175/32
services: http
ports:
—If you just add rich rule, zone doesn’t become active, so I may say case 1 may not work as it doesn’t appear in the active zone list. But if you look zone xml file /etc/firewalld/zones/work.xml then it does clearly define source, service. This throws another question – why zone do not become active with rich rule only ? I don’t see anywhere in the document where it mentions this specific issue. I also wonder if I am using firewalld right way ;)
So what’s the problem here? What doesn’t work in particular?
oh I mentioned it from the beginning of my thread but may be not clear
I tried to allow http service with -rich-rule- and -source address- method for -one ip- in different zone.
Both method doesn’t allow http service and fails with error “Failed connect – ; No route to host”
Do you get any hits for the http rule? If you don’t, then it’s blocked some other place before you even reach it.
Hello,
Thanks for your post, very helpful!
Do you now if there is a way to limit the masquerading destination ? for exemple disable all http calls or enable only port 587 has destination?
Thank for your answer.
Regards
Hi Mario, if you want to enable NAT for a particular subnet or range, you need a rich rule or direct rule.
Hello Amigo, thanks for your post.
Not sure what is wrong on my below config, but i do not get PC on internal zone reach public zones.
Below my config:
[root@ecs-fw01 ~]# firewall-cmd –direct –get-all-rules
ipv4 nat POSTROUTING 0 -o eth0 -j MASQUERADE
ipv4 filter FORWARD 0 -i eth1 -o eth0 -p icmp -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
ipv4 filter FORWARD 0 -i eth1 -o eth0 -p tcp -m multiport –dport 80,443 -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT
ipv4 filter FORWARD 0 -i eth1 -o eth0 -j LOG –log-prefix ‘forward_fw ‘
[root@ecs-fw01 ~]# firewall-cmd –list-all –zone=internal
internal (active)
target: default
icmp-block-inversion: no
interfaces: eth1
sources:
services: ssh mdns samba-client http https dns smtp
ports: 53/udp 80/tcp 443/tcp
protocols: IP icmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ecs-fw01 ~]#
[root@ecs-fw01 ~]#
[root@ecs-fw01 ~]# firewall-cmd –list-all –zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dns http https
ports:
protocols: icmp ip
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ecs-fw01 ~]# firewall-cmd –get-active-zones
internal
interfaces: eth1
public
interfaces: eth0
Please post the output of the following commands:
I am bit confused with port forwarding thing.
This is what i am trying to acheive.
When i ssh on server1 ( 192.168.1.244 ) on port 9090 , it should take me to server2 on port 22 (192.168.1.252)
on Server 1: ( 192.168.1.244/24 )
firewall-cmd –permanent –add-forward-port=’port=9090:proto=tcp:toport=22:toaddr=192.168.1.252′
firewall-cmd –reload
Server1: 192.168.1.244/24
Server2: 192.168.1.252/24
ssh runs on port 22 on both servers,
firewall enabled on both servers
After the above rule. ( from Server1: 192.168.1.244/24 itself)
#ssh 192.168.1.244 -p9090
ssh: connect to host 192.168.1.244 port 9090: Connection refused
What the best way to test port forwarding in lab.
1: do i need to enable masq ?
Thanks for a detailed answer
It does work for me. Try the following on the server2:
The above will match the port forwarding rule that is set on the server1 and will forward the request to the server2. You do need to enable masquerading on the server1 as well as
net.ipv4.ip_forward=1. Hope this explains it.Tomas, please help.
I have server with external IP (I1) and I forward traffic through this server to other external ip (I2) and port. It works, but I want that I connect to I1 from certain externel ip.
For example: 1.1.1.1:444 forward to 2.2.2.2:444 and I must connect to 1.1.1.1:444 only 3.3.3.3 other traffic must drop. Sorry for my English.
I have this configuration, but I can connect from different ip to port 444.
firewall-cmd –permanent –zone=public –add-forward-port=port=444:proto=tcp:toport=444:toaddr=94.22.11.11
firewall-cmd –permanent –add-service=PRDP
firewall-cmd –permanent –service=PRDP –add-port=444/tcp
firewall-cmd –permanent –zone=public –set-target=DROP
firewall-cmd –permanent –zone=public –add-rich-rule ‘rule family=”ipv4″ service name=”PRDP” source address=”My_IP” accept’
How can I do it? Thank you.
Can you post the output of the following please:
Thanks. Even though firewalld uses netfilter under the hood, you sometimes need to get into direct rules to get advanced stuff working.
Try the following (I use IPs and ports to match your example). Create a destination NAT rule to forward all (source 3.3.3.3/32) traffic from TCP port 444 to 2.2.2.2:444.
Then create a forwarding rule as well as allow all related and established traffic:
Finally, enable IP masquerading:
The above will do the trick. If you require a firewalld solution then you’ll have to figure it out yourself I’m afraid.
I’ve found solution with Firewalld -https://fedoraproject.org/wiki/Features/FirewalldRichLanguage
firewall-cmd —zone=public —permanent —add-rich-rule=’rule family=”ipv4″ source address=”MY_IP” forward-port to-addr=”95.X.11.15″ to-port=”443″ port=”443″ protocol=”tcp”‘
And this rule is being deleted -forward-ports: port=444:proto=tcp:toport=444:toaddr=95.X.11.15
Thanks, it’s useful to know.
[root@portmap ~]# firewall-cmd --list-all --zone=public public (active) target: DROP icmp-block-inversion: no interfaces: eth0 sources: services: ports: protocols: masquerade: yes forward-ports: port=444:proto=tcp:toport=444:toaddr=95.X.11.15 sourceports: icmp-blocks: rich rules: rule family="ipv4" source address="93.Y.184.74" service name="PRDP" acceptDo you have any ideas?
Yes, see my previous reply.
Thank you. I’ll try.
Hi Tomas, my server ip is 192.168.10.40. I just want forward the local port 22 to 80 on this server for systems in the 192.168.10.0/24 network. I just did: # firewall-cmd –permanent –add-forward-port=port=22:proto=tcp:toport=80 which is successful but I didn’t put any source addresses and destination address.Am I right here? If I need to put,Should I put network address(192.168.10.0) as source addresses or my server ip address 192.168.10.40? Or not needed at all?Please respond to me.
The last time I checked firewalld did not allow port redirection from localhost. I would suggest to use iptables to create a NAT rule to achieve port redirection.
Would you mind to write the correct syntax for above syntax?
Can do, but keep in mind that being able to find information is somewhat an exam requirement :)
Hi Tomas,
Is your examples almost as the same as the exam? Am i correct, that if i have a 2 vm, they should be able to connect to internet? I am planning to do my testing offline. without connecting to internet. BUt your setup is should be able to coccent to internet..that is based from the exam setup you gave
These are examples from my homelab. You do not need internet connection to use the examples, as these are based on two private subnets 10.10.1.0/24 and 10.8.8.0/24 (see the blog post).
Do we need to learn iptables again for making your server a router?
Thanks
Firewalld uses iptables under the hood, so I find iptables quite helpful when I have to troubleshoot firewalld configuration. However, you don’t need to learn iptables to configure your server as a router, you can use firewalld.
Ok thank you for your time. Can you please tell me, did you turn off your Netwokrmanager during exam? Is nmcli is really needed? Or modifying the config file is enough? I have mastered the iscsi,smtp mariadb, but im lacking with kerberos and this nmcli as well as the rich rules.. Im trying to squeeze my time, eliminate what i can eliminate. muy exam is in 15 days.. i Hvve 3 days to decide if i will resched it in May or not.
I cannot tell you what I did during the exam, but if you don’t feel confident, then it makes sense to reschedule it.
Thomas, good afternoon.
I am studying for the EX300 exam, but I have doubts about Rich Rules and Port Forwarding
The Port Forwarding I understood
to redirect ssh to port 6000
$ firewall-cmd –add-forward-port=port=6000:proto=tcp:toport=22:toaddr=192.168.122.197
# ssh -p 6000 192.168.122.197 – it’s ok
Now to do the same using the rich rules I’m not getting
$ firewall-cmd –add-rich-rule ‘rule family=ipv4 source address=192.168.122.197 forward-port port=80 protocol=tcp to-port=8080’
$ elinks http:// 192.168.122.197:8080
The “conection refused” error occurs
# firewall-cmd –list-all
public (default, active)
interfaces: eth0 eth1 team0
sources:
services: dhcpv6-client http https ssh
ports: 3260/tcp
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.122.197″ forward-port port=”80″ protocol=”tcp” to-port=”8080″
what am I doing wrong?
thank you
In the second example you seem to use IP 192.168.122.197 as the source address, however, in the first example the same IP address is used as the destination address.
It was just an example. I meant that with port-forward I was able to redirect ssh.
But using the rich rules technique I can not redirect
firewall-cmd –add-rich-rule “rule family=ipv4 source address=192.168.122.197 forward-port port=6000 protocol=tcp to-port=22”
When you add a rich rule, what source address are you then testing from?
of the machine itself.
Firewalld does not allow port redirection from localhost. If you try from another server, it should work.
Hello Tomas
Last week i gave RHCSA exam and got 300/300 now I’m preparing for RHCE exam
I installed IPA server on centos 7.2 using VirtualBoz and on IPA server i have two interfaces enp0s3 and enp0s8. I added enp0s3 (interface facing Internet) part of Public Zone and enp0s8 is part of DMZ zone with IP Addr = 10.8.8.2
And on Second server i have one interface enp0s3(Host Only Network) with IP Addr = 10.8.8.50 part of DMZ Zone and made 10.8.8.2 gw of this second server
I enabled masquerading on public zone of IPA Server . But when i try to ping ipa server i get “ping: unknown host ipa” same case if i try to ping http://www.google.com “ping: unknown host http://www.google.com”
If i revert back all changes and make enp0s3 and enp0s8 part of public zone on IPA server it start working but stops working as soon i make enp0s8 part of DMZ zone. Any suggestions
The error message suggests that your DNS resolution may not be working properly.
Try accessing the IPA server on the IP address and see if that works.
From firewall-cmd on IPA server i added following services and ports in both PUBLIC and DMZ Zones
dmz (active)
interfaces: enp0s8
sources:
services: ssh
ports: 443/tcp 80/tcp 88/udp 464/udp 88/tcp 123/udp 389/tcp 53/tcp 53/udp 636/tcp
masquerade: no ——————————————— (and yes on Public Zone)
forward-ports:
icmp-blocks:
rich rules:
It started working, i was able to ping ipa again using name, but when i added the gw on Serv1(10.8.8.50) IP addr of IPA server 10.8.8.2. it stopped working
On Serv1(10.8.8.50) default zone is still public ,
It seems the issue was on Serv1(10.8.8.50) Firewall Zone. Previously default zone was set to Public then i change the default to DMZ it started working. My guess is both zone on IPA and Client should be same zone depending on port and gateway ,especially gateway because 10.8.8.2 enp0s8 is part of dmz zone and not public
Thanks for the good information. Do you have any experience with configuring this same setup in an AWS cloud environment where only 1 interface is required? I’ve tried to sort it out but most of the rules you created in the final steps refer to passing the protocol from 1 interface to the other.
My AWS setup is a bit different thanks to NAT gateways. I used instances with 2 interfaces some years ago, nowadays I create private and public subnets, and use a NAT gateway for instances in the private one.
Hi, having some issues when I try to add forward-port to a network address,
–add-forward-port=port=[-]:proto=[:toport=[-]][:toaddr=[/]]
In the manual, is possible to add network mask, but when I try to add they give an error saying is invalid
firewall-cmd –add-forward-port=port=23:proto=tcp:toport=80:toaddr=192.168.1.0/24
Error: INVALID_ADDR: 192.168.1.0/24
Do you have any idea? the forward port just work when is a host(192.168.1.10)?
You usually forward a port from one host to a port on another host. If you want to specify a network mask, you can add
/32.Hi all,
Will you please help me out for the below issue,
I want to the run the below command in centos 7 firewall
iptables command
-A INPUT -i eth0 -p udp -m state –state ESTABLISH,RELATED -m udp -d 1.2.3.4 -j ACCEPT
Please see the blog post, there are several ways you can create firewalld rules.
Hello, I have some confusions on the “reject” part of the following rich rules:
rule service name=ssh log prefix=”SSH_” level=”debug” limit value=1/m reject
1. What does above rich rules means?
2. What is the purpose of specifying reject here?
3. Is it rejecting the ssh services debug messages that started with “SSH_” prefix?
4. Can you please clarify when to use reject or accept?
Thanks
This rich rule means that new connections to service SSH are all rejected and logged at a rate of 1 per minute. The log prefix is set to SSH_ and the log level is debug.
Use reject when you want to deny connections, and use accept when you want to allow connections.
Thanks!
hi i have the same confusion as the above comments from Kamrul Ahsan:
rule service name=ssh log prefix=”SSH_” level=”debug” limit value=1/m reject
my confusion is because in the questions it doesn’t say accept or reject, so why we chose the reject ?
the question says only “configure server2 for firewalld SSH logging with a prefix of “SSH_” and a debug level, limit to 2 log entries per minute”
could you please advise ?
thanks in advance
In my example I use a forwarding rule for SSH and then reject all other SSH traffic while also logging it. If the question doesn’t ask you to reject traffic then you don’t have to reject it. I hope this clarifies things for you.
Hi
I have a server with two interfaces. One to the internal network, the other to the external network. Internal and external zones are defined on the interfaces, respectively. in this configuration, traffic from the internal network goes to the external network.
external (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal (active)
target: default
icmp-block-inversion: no
interfaces: ens224
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
If I change the zone on the internal interface to drop, and prescribe rich rules for individual hosts. As a result, the traffic from host 192.168.100.50 does not go away.
rop (active)
target: DROP
icmp-block-inversion: no
interfaces: ens224
sources:
services: http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.100.50″ accept
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
INPUT_direct all — 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all — 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all — 0.0.0.0/0 0.0.0.0/0
LOG all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix “STATE_INVALID_DROP: ”
DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
LOG all — 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix “FINAL_REJECT: ”
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all — 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all — 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all — 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all — 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all — 0.0.0.0/0 0.0.0.0/0
LOG all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix “STATE_INVALID_DROP: ”
DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
LOG all — 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix “FINAL_REJECT: ”
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
OUTPUT_direct all — 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_external all — 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_drop all — 0.0.0.0/0 0.0.0.0/0
FWDI_public all — 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_external all — 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_drop all — 0.0.0.0/0 0.0.0.0/0
FWDO_public all — 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_drop (1 references)
target prot opt source destination
FWDI_drop_log all — 0.0.0.0/0 0.0.0.0/0
FWDI_drop_deny all — 0.0.0.0/0 0.0.0.0/0
FWDI_drop_allow all — 0.0.0.0/0 0.0.0.0/0
LOG all — 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix “FWDI_drop_DROP: ”
DROP all — 0.0.0.0/0 0.0.0.0/0
Chain FWDI_drop_allow (1 references)
target prot opt source destination
Chain FWDI_drop_deny (1 references)
target prot opt source destination
Chain FWDI_drop_log (1 references)
target prot opt source destination
Chain FWDI_external (1 references)
target prot opt source destination
FWDI_external_log all — 0.0.0.0/0 0.0.0.0/0
FWDI_external_deny all — 0.0.0.0/0 0.0.0.0/0
FWDI_external_allow all — 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0
Chain FWDI_external_allow (1 references)
target prot opt source destination
Chain FWDI_external_deny (1 references)
target prot opt source destination
Chain FWDI_external_log (1 references)
target prot opt source destination
Chain FWDI_public (1 references)
target prot opt source destination
FWDI_public_log all — 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all — 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all — 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_drop (1 references)
target prot opt source destination
FWDO_drop_log all — 0.0.0.0/0 0.0.0.0/0
FWDO_drop_deny all — 0.0.0.0/0 0.0.0.0/0
FWDO_drop_allow all — 0.0.0.0/0 0.0.0.0/0
LOG all — 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix “FWDO_drop_DROP: ”
DROP all — 0.0.0.0/0 0.0.0.0/0
Chain FWDO_drop_allow (1 references)
target prot opt source destination
Chain FWDO_drop_deny (1 references)
target prot opt source destination
Chain FWDO_drop_log (1 references)
target prot opt source destination
Chain FWDO_external (1 references)
target prot opt source destination
FWDO_external_log all — 0.0.0.0/0 0.0.0.0/0
FWDO_external_deny all — 0.0.0.0/0 0.0.0.0/0
FWDO_external_allow all — 0.0.0.0/0 0.0.0.0/0
Chain FWDO_external_allow (1 references)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED
Chain FWDO_external_deny (1 references)
target prot opt source destination
Chain FWDO_external_log (1 references)
target prot opt source destination
Chain FWDO_public (1 references)
target prot opt source destination
FWDO_public_log all — 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all — 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all — 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_external all — 0.0.0.0/0 0.0.0.0/0 [goto]
IN_drop all — 0.0.0.0/0 0.0.0.0/0
IN_public all — 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_drop (1 references)
target prot opt source destination
IN_drop_log all — 0.0.0.0/0 0.0.0.0/0
IN_drop_deny all — 0.0.0.0/0 0.0.0.0/0
IN_drop_allow all — 0.0.0.0/0 0.0.0.0/0
LOG all — 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix “IN_drop_DROP: ”
DROP all — 0.0.0.0/0 0.0.0.0/0
Chain IN_drop_allow (1 references)
target prot opt source destination
ACCEPT all — 192.168.100.50 0.0.0.0/0
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
Chain IN_drop_deny (1 references)
target prot opt source destination
Chain IN_drop_log (1 references)
target prot opt source destination
Chain IN_external (1 references)
target prot opt source destination
IN_external_log all — 0.0.0.0/0 0.0.0.0/0
IN_external_deny all — 0.0.0.0/0 0.0.0.0/0
IN_external_allow all — 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0
Chain IN_external_allow (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_external_deny (1 references)
target prot opt source destination
Chain IN_external_log (1 references)
target prot opt source destination
Chain IN_public (1 references)
target prot opt source destination
IN_public_log all — 0.0.0.0/0 0.0.0.0/0
IN_public_deny all — 0.0.0.0/0 0.0.0.0/0
IN_public_allow all — 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
Works “FWDO_drop_DROP: ”
Tell me what the problem is?
What does it mean “traffic does not go away”? What are you trying to achieve here?
Packets from the internal network do not go to the external network.
Could that be because you’re dropping them? When you check your iptables configuration, can you trace the rule that drops traffic? You can use the hit counter.
One part of your tutorial seems contradictory and it’s confusing. I’m with you up until the point where you say:
“When masquerading on the zone public is enabled, we can access the site:”
I started with a fresh firewalld install with no rules and I run a script to execute the following:
# assign interfaces to zones
firewall-cmd –add-interface=${DMZ_INTERFACE} –zone=dmz
firewall-cmd –add-interface=${PUBLIC_INTERFACE} –zone=public
# I have a DHCP & DNS server running on this box listening on ${DMZ_INTERFACE}
firewall-cmd –add-service=dhcp –zone=dmz
firewall-cmd –add-service=dns –zone=dmz
Now at this point if I try to ping http://www.google.com from a box in my dmz I get “no route to host” (just as you said). But if I then add 1 more rule to my firewall:
firewall-cmd –zone=public –add-masquerade
Now at this point in your tutorial you say “When masquerading on the zone public is enabled, we can access the site:” showing your server in your dmz successfully downloading a file. BUT when I try and ping http://www.google.com from inside my dmz I get “request timed out”. I cannot get anything through to external servers until I add a direct rule:
firewall-cmd –direct –add-rule ipv4 nat POSTROUTING 0 -o ${PUBLIC_INTERFACE} -j MASQUERADE
And indeed (later on in the tutorial) where you introduce that rule you say “To allow our dmz (enp0s17) network VMs with private IP addresses to communicate with external networks, we have to configure firewall for IP masquerading:”
BUT that contradicts your earlier example where you downloaded a file from within your DMZ without adding this rule!
Also, right after you introduce that last direct rule for masquerading you introduce a bunch of direct rules to enable forwarding of dmz traffic to public hosts for http, dns, ssh, etc. But once I added that masquerading direct rule I can do all those things without adding all those protocol-specific rules… so what are they used for?
FINAL QUESTION:
As you pointed out, the firewalld man page says: “Direct configuration should be used only as a last resort when it’s not possible to use firewalld.zone”
So is there a way to enable masquerading without adding a direct rule?
Thanks for your help!
Hi Mark, thanks for your detailed comment, I appreaciate it.
To be honest with you, I wrote this article several years ago, there is a chance that I made a mistake at the time. There is obviously a way of enabling masquerading without adding a direct rule, it should work as per instructions. I’m sure I’ve done that many times, unfortunatelly I don’t really use firewalld nowadays.
Hi,
In my setup i have this openvpn server:
etho (public) 10.1.1.230
tun0 (trusted) 10.8.0.1
clients connected to openvpn with 10.8.0.X can connect to public network 10.1.1.X normally, but clients connected to 10.1.1.X can’t.
How to enable this nat/forwarding?
firewall-cmd –get-active-zones
public
interfaces: eth0
trusted
sources: 10.8.0.0/24
iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
INPUT_direct all — 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES_SOURCE all — 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all — 0.0.0.0/0 0.0.0.0/0
DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all — 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES_SOURCE all — 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all — 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE all — 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all — 0.0.0.0/0 0.0.0.0/0
DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all — 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
OUTPUT_direct all — 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all — 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all — 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
FWDI_trusted all — 10.8.0.0/24 0.0.0.0/0
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all — 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all — 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
FWDO_trusted all — 0.0.0.0/0 10.8.0.0/24
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all — 0.0.0.0/0 0.0.0.0/0
FWDI_public_deny all — 0.0.0.0/0 0.0.0.0/0
FWDI_public_allow all — 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDI_trusted (1 references)
target prot opt source destination
FWDI_trusted_log all — 0.0.0.0/0 0.0.0.0/0
FWDI_trusted_deny all — 0.0.0.0/0 0.0.0.0/0
FWDI_trusted_allow all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
Chain FWDI_trusted_allow (1 references)
target prot opt source destination
Chain FWDI_trusted_deny (1 references)
target prot opt source destination
Chain FWDI_trusted_log (1 references)
target prot opt source destination
Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all — 0.0.0.0/0 0.0.0.0/0
FWDO_public_deny all — 0.0.0.0/0 0.0.0.0/0
FWDO_public_allow all — 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain FWDO_trusted (1 references)
target prot opt source destination
FWDO_trusted_log all — 0.0.0.0/0 0.0.0.0/0
FWDO_trusted_deny all — 0.0.0.0/0 0.0.0.0/0
FWDO_trusted_allow all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
Chain FWDO_trusted_allow (1 references)
target prot opt source destination
Chain FWDO_trusted_deny (1 references)
target prot opt source destination
Chain FWDO_trusted_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all — 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all — 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
IN_trusted all — 10.8.0.0/24 0.0.0.0/0
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_public (2 references)
target prot opt source destination
IN_public_log all — 0.0.0.0/0 0.0.0.0/0
IN_public_deny all — 0.0.0.0/0 0.0.0.0/0
IN_public_allow all — 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1150 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain IN_trusted (1 references)
target prot opt source destination
IN_trusted_log all — 0.0.0.0/0 0.0.0.0/0
IN_trusted_deny all — 0.0.0.0/0 0.0.0.0/0
IN_trusted_allow all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
Chain IN_trusted_allow (1 references)
target prot opt source destination
Chain IN_trusted_deny (1 references)
target prot opt source destination
Chain IN_trusted_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
Thank you,
Wilson
How to do filter using DSCP parameter , like in iptables dscp -dscp