Page 1 of 1
SOLVED: firewalld Multiple WAN IPs 1 interface help
Posted: 2019/08/10 08:56:41
by meluvalli
Firewall doesn't work.
I have setup eth0:2 setup with rules and they are completely ignored.
(XX XX XX XX is my IP)
firewall-cmd --permanent --new-zone=XX_XX_XX_XX
firewall-cmd --change-interface=eth0:2 --zone=XX_XX_XX_XX --permanent
Zone is created, verified zone-list that eth0:2 is in this zone.
XX_XX_XX_XX (active)
target: default
icmp-block-inversion: no
interfaces: eth0:2
sources: XX.XX.XX.XX/32
services:
ports:
protocols:
masquerade: no
forward-ports: port=443:proto=tcp:toport=443:toaddr=192.168.1.100
source-ports:
icmp-blocks:
rich rules:
Rebooted server and still no work. If I try to access my external IP address port 443, firewall blocks it. WHY????
Re: firewall-cmd doesn't work.
Posted: 2019/08/11 08:23:59
by jlehtone
IMHO your issue description "doesn't work" either; there might be details omitted.
However, a websearch on the mentioned details does pull up:
https://serverfault.com/questions/70026 ... lias-eth00
Re: firewalld Multiple WAN IPs 1 interface help
Posted: 2019/08/12 07:56:49
by meluvalli
Good to know! That does help a little
But I am not sure then how to use firewalld to open ports based on source IP. I tried creating zones by source IP address, but this didn't work
. So, if anyone knows how to open firewall based off WAN IP instead of interface, this would be really helpful!
Re: firewalld Multiple WAN IPs 1 interface help
Posted: 2019/08/12 09:40:57
by jlehtone
What do you mean "by source IP"? The issue might be due to firewalld-terminology.
Re: firewalld Multiple WAN IPs 1 interface help
Posted: 2019/08/12 21:43:04
by meluvalli
I created a zone:
firewall-cmd --permanent --new-zone="[MyNewZoneName]"
I tried adding a zone by source using the below command:
firewall-cmd --permanent --zone="[MyNewZoneName]" --add-source="[MyExternalIP]/[Mask]"
Then added the following rule:
firewall-cmd --zone="[MyNewZoneName]" --add-forward-port=port=443:proto=tcp:toport=443:toaddr=[My Internal IP] --permanent
Followed by:
firewall-cmd --complete-reload
This didn't work. Only rules that apply still are the ones on my MAIN WAN IP under zone "External". If the rule isn't in there, the rule doesn't work. However, I don't know how to add a rule in the "External" zone to only work on my alias IP if that makes sense.
Re: firewalld Multiple WAN IPs 1 interface help
Posted: 2019/08/13 07:32:39
by jlehtone
An incoming packet is directed to a zone
1. if its source address matches that zone's sources or
2. if it enters via interface of the zone
Let's say that Google sends a packet to you. Packet has FROM: 8.8.8.8, TO: aliasIP:443
IF you have zone that contains 8.8.8.8 in sources
THEN that zone will handle the packet
ELSE zone of eth0 (external) will handle the packet
The packets that arrive from outside (like 8.8.8.8) are not from alias-on-eth0:2.
The solution on serverfault shows that you can have a service on a zone that matches only a specific TO address (rather than all aliases). Alas, the forward-port does not have that option.
I think the rich language has enough options:
Code: Select all
--zone=external
--add-rich-rule='rule family="ipv4" destination address="aliasIP" forward-port to-addr="192.168.1.100" to-port="443" protocol="tcp" port="443"'
Re: firewalld Multiple WAN IPs 1 interface help
Posted: 2019/08/14 03:03:57
by meluvalli
