How to convert iptables command to work with firewalld
How to convert iptables command to work with firewalld
sudo -s iptables -t nat -A POSTROUTING -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
sudo -s iptables -t nat -D POSTROUTING -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
Basically adding deleting NAT rules in iptables.
This command works in Gentoo and we have migrated to Centos7. How I can convert same command to work with firewalld?
sudo -s iptables -t nat -D POSTROUTING -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
Basically adding deleting NAT rules in iptables.
This command works in Gentoo and we have migrated to Centos7. How I can convert same command to work with firewalld?
Re: How to convert iptables command to work with firewalld
The firewalld does not seem to be nice for Very Special Things, but at least 'Direct Options' from man firewall-cmd should work:
Code: Select all
$ firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
$ firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
Re: How to convert iptables command to work with firewalld
When I add this rule to a system lets say 10.x.x.55 then destination 10.x.x.x is unable to receive traps from 10.x.x.55.
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
10.x.x.55 is receiving trap from 10.x.x.204 and want to forward to 10.x.x.x.
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
10.x.x.55 is receiving trap from 10.x.x.204 and want to forward to 10.x.x.x.
Re: How to convert iptables command to work with firewalld
When I add this rule to a system lets say 10.x.x.55 then destination 10.x.x.x is unable to receive traps from 10.x.x.55.jlehtone wrote: ↑2019/07/31 13:49:53The firewalld does not seem to be nice for Very Special Things, but at least 'Direct Options' from man firewall-cmd should work:Code: Select all
$ firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204 $ firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
10.x.x.55 is receiving trap from 10.x.x.204 and want to forward to 10.x.x.x.
Re: How to convert iptables command to work with firewalld
I know nothing about "traps".
You did ask "how to convert?" That implies that you already have a functional ruleset and you simply need to know to enter it via firewalld.
If A sends packet to B and you want the B to redirect to C, then B has to DNAT (convert A->B into A->C).
If A sends packet to C via B and the B wants to pretend that the packet originates in B, then SNAT (convert A->C into B->C).
Note that entire 10.0.0.0/8 subnet is private and therefore the obfuscation should not be necessary, at least not to the level that you have done it.
You did ask "how to convert?" That implies that you already have a functional ruleset and you simply need to know to enter it via firewalld.
If A sends packet to B and you want the B to redirect to C, then B has to DNAT (convert A->B into A->C).
If A sends packet to C via B and the B wants to pretend that the packet originates in B, then SNAT (convert A->C into B->C).
Note that entire 10.0.0.0/8 subnet is private and therefore the obfuscation should not be necessary, at least not to the level that you have done it.
Re: How to convert iptables command to work with firewalld
Yes you are absolutely right. We have working ruleset(Mentioned at the top of the thread) of iptables which is working fine in gentoo system. Now we are migrating to Centos7. Centos7 uses firewlld, so we want to do same thing using firewalld instead of iptables.jlehtone wrote: ↑2019/08/05 14:18:37I know nothing about "traps".
You did ask "how to convert?" That implies that you already have a functional ruleset and you simply need to know to enter it via firewalld.
If A sends packet to C via B and the B wants to pretend that the packet originates in B, then SNAT (convert A->C into B->C).
The rule which you suggested for firewalld adds successfully in the system(X). But after adding rule firewall drops packets for the destination mentioned in the rule. So destination(Lets say Y) does not receive any thing from the X.
Re: How to convert iptables command to work with firewalld
You can see what the current ruleset in kernel is with:
Compare current ruleset with what you have in gentoo. How do they effectively differ?
Note that option --permanent makes firewall-cmd to operate on config files of firewall while without that option the current ruleset is modified. The firewalld loads ruleset from files during boot just like the iptables.service. You can reload (after changing config) with firewall-cmd --reload.
Code: Select all
iptables -S
iptables -t nat -S
iptables -t mangle -S
Note that option --permanent makes firewall-cmd to operate on config files of firewall while without that option the current ruleset is modified. The firewalld loads ruleset from files during boot just like the iptables.service. You can reload (after changing config) with firewall-cmd --reload.