How to convert iptables command to work with firewalld

Support for security such as Firewalls and securing linux
Post Reply
ghulam.k
Posts: 4
Joined: 2019/07/31 11:13:32

How to convert iptables command to work with firewalld

Post by ghulam.k » 2019/07/31 11:19:25

sudo -s iptables -t nat -A POSTROUTING -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204

sudo -s iptables -t nat -D POSTROUTING -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204

Basically adding deleting NAT rules in iptables.

This command works in Gentoo and we have migrated to Centos7. How I can convert same command to work with firewalld?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How to convert iptables command to work with firewalld

Post by jlehtone » 2019/07/31 13:49:53

The firewalld does not seem to be nice for Very Special Things, but at least 'Direct Options' from man firewall-cmd should work:

Code: Select all

$ firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
$ firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204

ghulam.k
Posts: 4
Joined: 2019/07/31 11:13:32

Re: How to convert iptables command to work with firewalld

Post by ghulam.k » 2019/08/02 13:02:24

When I add this rule to a system lets say 10.x.x.55 then destination 10.x.x.x is unable to receive traps from 10.x.x.55.

firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204

10.x.x.55 is receiving trap from 10.x.x.204 and want to forward to 10.x.x.x.

ghulam.k
Posts: 4
Joined: 2019/07/31 11:13:32

Re: How to convert iptables command to work with firewalld

Post by ghulam.k » 2019/08/05 09:09:56

jlehtone wrote:
2019/07/31 13:49:53
The firewalld does not seem to be nice for Very Special Things, but at least 'Direct Options' from man firewall-cmd should work:

Code: Select all

$ firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
$ firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204
When I add this rule to a system lets say 10.x.x.55 then destination 10.x.x.x is unable to receive traps from 10.x.x.55.

firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -d 10.x.x.x -p udp --dport 162 -j SNAT --to 10.x.x.204

10.x.x.55 is receiving trap from 10.x.x.204 and want to forward to 10.x.x.x.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How to convert iptables command to work with firewalld

Post by jlehtone » 2019/08/05 14:18:37

I know nothing about "traps".

You did ask "how to convert?" That implies that you already have a functional ruleset and you simply need to know to enter it via firewalld.


If A sends packet to B and you want the B to redirect to C, then B has to DNAT (convert A->B into A->C).
If A sends packet to C via B and the B wants to pretend that the packet originates in B, then SNAT (convert A->C into B->C).


Note that entire 10.0.0.0/8 subnet is private and therefore the obfuscation should not be necessary, at least not to the level that you have done it.

ghulam.k
Posts: 4
Joined: 2019/07/31 11:13:32

Re: How to convert iptables command to work with firewalld

Post by ghulam.k » 2019/08/06 06:12:06

jlehtone wrote:
2019/08/05 14:18:37
I know nothing about "traps".

You did ask "how to convert?" That implies that you already have a functional ruleset and you simply need to know to enter it via firewalld.
If A sends packet to C via B and the B wants to pretend that the packet originates in B, then SNAT (convert A->C into B->C).
Yes you are absolutely right. We have working ruleset(Mentioned at the top of the thread) of iptables which is working fine in gentoo system. Now we are migrating to Centos7. Centos7 uses firewlld, so we want to do same thing using firewalld instead of iptables.

The rule which you suggested for firewalld adds successfully in the system(X). But after adding rule firewall drops packets for the destination mentioned in the rule. So destination(Lets say Y) does not receive any thing from the X.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How to convert iptables command to work with firewalld

Post by jlehtone » 2019/08/06 07:05:14

You can see what the current ruleset in kernel is with:

Code: Select all

iptables -S
iptables -t nat -S
iptables -t mangle -S
Compare current ruleset with what you have in gentoo. How do they effectively differ?

Note that option --permanent makes firewall-cmd to operate on config files of firewall while without that option the current ruleset is modified. The firewalld loads ruleset from files during boot just like the iptables.service. You can reload (after changing config) with firewall-cmd --reload.

Post Reply