I'm trying to do the equivalent of this iptables rule in firewalld
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
How can I do this?
Asked
Active
Viewed 4.1k times
3 Answers
9
To set up masquerading on the external zone, type:
# firewall-cmd --zone=external --add-masquerade
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
For reference:
TBI Infotech
- 1,536
- 9
- 15
-
I get a warning saying `ALREADY_ENABLED`. Should that be the case? – Jacob Tomlinson Aug 22 '14 at 12:58
-
2Also there is no mention of `10.8.0.0/24` in your config. – Jacob Tomlinson Aug 22 '14 at 13:54
-
1@JacobTomlinson In that case, it's already enabled, and your question makes no sense. – Michael Hampton Aug 22 '14 at 14:08
-
1yes @JacobTomlinson is right about it,if active than what is issue actually – TBI Infotech Aug 26 '14 at 09:42
-
Turns out it defaults to masquerading on "external" (at least on the dual ethernet machine I just set up), he, probably, like me, didn't know it was a default – Wayne Walker Mar 30 '21 at 03:48
-
I think your default active zone is not external due to which you are still getting this issue. – asmath Apr 29 '21 at 05:36
5
Alternatively you can add the rule to your: /etc/firewalld/direct.xml file eg.
<?xml version="1.0" encoding="utf-8"?>
<direct>
...
<rule priority="0" table="filter" ipv="ipv4" chain="POSTROUTING">-table nat -jump MASQUERADE --source 10.8.0.0/24 --out-interface eth0</rule>
</direct>
Then:
firewall-cmd --reload
arober11
- 417
- 3
- 6
-
3It should be firmly stressed, that the accepted answer is incorrect in that it shows how to create masquerade/NAT configuration but only if you want all the traffic on the egress of `eth0` to be masqueraded. There is no way to masquerade traffic from a subnet only via the simple `--add-masquerade` directive; direct rules (as explained in the above answer) must be used. – P Marecki Jun 03 '19 at 08:37
4
You do not use directly rules like that. You simply put your interface (eth0) into external zone, which is already preconfigured in RHEL7/CentOS7 and it has masquerade turned on, or you can enable masquerading on the zone your interface is in. By default it's public. So the correct answer would be either:
# firewall-cmd --zone=public --add-masquerade
or
# firewall-cmd --change-zone=eth0 --zone=external
That is really all you need to do. To enable NAT only for particular subnet or range, you need Rich Rule or Direct rule. That's bit more complex. You can also simply refuse packets for others which seems also an option.
lzap
- 2,704
- 2
- 22
- 22
-
`--change-zone=` is not documented, but works. `--change-interface=` works too. With `--permanent` it alters `/etc/sysconfig/network/ifcfg-eth0` instead of the xml file and `--reload` does not load this setting. So additionally do without `--permanent` or `ifdown/ifup` – basin Oct 14 '21 at 20:41