How do I limit firewalld portforwarding to certain source addresses?

Question

First off, I apologize if this has already been asked before but I wasn't able to find any answer looking through the info available on SE.

My situation is as follows: I have one CentOS 7 server that stands at the forefront providing a number of services. It is hooked up with one ethernet port public (eno1) and one ethernet port LAN (eno2) Connected to the LAN is a second server that i want to forward traffic to on a certain port.

FirewallD provides port forwarding and it works. So far, so good! However, there is a major issue I'm running into: I want to limit who has access to that forwarded service by public IP, and I haven't been able to figure that one out because FirewallD seem to be way too simplistic in what can be done with it. Great if you just want to open a service up to the 'net for everyone, but not so much when you only want to open it up to specific scopes. An additional problem is that on the target server on the LAN, all source IPs for the forwarded traffic are the gateway server's LAN address (10.0.0.1). This means I also can't filter traffic on the target server by IP, leaving the service open to the world (which I don't want)

Is there any way to do this with firewalld? i've tried to do it manually with iptables but had to admit defeat. following all info I could find I never got forwarding to work...

Clarification:

Internet -> (eno1, public IP) -> Centos -> (eno2, 10.0.0.1) -> target server (10.0.0.2)

This seems trivially simple; see https://serverfault.com/a/684739/126632 — Michael Hampton, Jul 05 '21 at 18:59
Thanks, that set me on the right track! With the caveat that zones are exclusive and need all rules duplicated... Almost bricked my access because of that. :P — Mark Straver, Jul 05 '21 at 19:49

Mark Straver · Answer 1 · 2021-07-05T21:34:03.570

With the help of Michael Hampton (thanks!) I managed to figure it out and am answering my own question.

What is needed is a separate zone that you define by adding scopes to it:

firewall-cmd --new-zone=special --permanent
firewall-cmd --reload
firewall-cmd --zone=special --add-source=12.34.56.78/32 --permanent
firewall-cmd --zone=special --add-source=12.34.56.88/32 --permanent
firewall-cmd --zone=special --add-source=12.34.99.0/24 --permanent

Then add all the normal services/ports you would have in your public zone to this new zone (basically duplicate its config) and finally add the forwarded port rule to the new zone only with (example http proxy):

firewall-cmd --zone=special --add-forward-port=port=8080:proto=tcp:toaddr=10.0.0.2 --permanent

then issue a final reload to apply:

firewall-cmd --reload

and voila: scopes 12.34.56.78/32 12.34.56.88/32 and 12.34.99.0/24 now have access to the example proxy service, but nobody else.

UPDATE

Critical note: These steps work fine for inbound traffic but getting firewalld to behave as a NAT router including outbound takes more work (which I haven't been able to get working...). If anyone has a more complete solution that allows inbound and outbound to work through a firewalld'ed server I'll happily mark that as accepted answer!

OT: I ended up using IPTables in the end anyway, which I got working for port forwarding and NAT without too much issue once I figured out what I did wrong (I didn't have an outbound rule in the FORWARD chain... >.> <.<) and it allows fine control over the scopes in every rule (with the bonus I can do everything from Webmin :P). Since that is off-topic I'm leaving this answer as-is.

Just turn on masquerading?! – Michael Hampton Jul 05 '21 at 21:43 — Michael Hampton, Jul 05 '21 at 21:43
Of course I did.It didn't work. – Mark Straver Jul 06 '21 at 00:49 — Mark Straver, Jul 06 '21 at 00:49

How do I limit firewalld portforwarding to certain source addresses?

1 Answers1