I've been trying for ages to write a firewall rule but no joy as I don't know what the correct syntax should be despite much searching on google.
I did a successful forward port command with this:
# firewall-cmd --permanent --zone=public --add-forward-port=port=5060:proto=udp:toport=5060:toaddr=192.168.1.61
but in this command I need to specify a single source IP so that udp 5060 traffic will only come in from that one IP.
I've tried source-address=, fromaddr= but nothing works. I alwys get:
Error: INVALID_FORWARD: invalid forward port arg 'source'
Error: INVALID_FORWARD: invalid forward port arg 'fromaddr'
what should the correct command be?
firewalld specify source port or fromaddr
Re: firewalld specify source port or fromaddr
First, firewalld is not suitable for routers or other complex setups.
Lets clarify: you have three machines: A, B, and C.
- A connects to udp/5060 of B
- You want to forward that connection from B to udp/5060 of C
The "firewalld way" is that world has at least two "zones".
- The A is in zone "X". When packets come from A, rules of zone X handle them
- Everyone else is in zone "Y".
- Zone X has rule to forward 5060 to C
In other words, X is probably a copy of Y, but with added rule and A in its "sources".
Lets clarify: you have three machines: A, B, and C.
- A connects to udp/5060 of B
- You want to forward that connection from B to udp/5060 of C
The "firewalld way" is that world has at least two "zones".
- The A is in zone "X". When packets come from A, rules of zone X handle them
- Everyone else is in zone "Y".
- Zone X has rule to forward 5060 to C
In other words, X is probably a copy of Y, but with added rule and A in its "sources".
Re: firewalld specify source port or fromaddr
hmmm
surely there must be a simple way to include a 'from address' into the command I used
surely there must be a simple way to include a 'from address' into the command I used
Re: firewalld specify source port or fromaddr
Upstream man firewall-cmd writes:
The "simple way" is to add the rule to the zone that will handle the packets "from address". That is how FirewallD wants it.
The other "simple way" is to not use firewalld.service at all. Stay in iptables.service
Even the future firewall-cmd will have no "from address" in --add-forward-port.[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]] [--timeout=timeval]
Add the IPv4 forward port. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards. timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m or 1h.
The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is a simple IP address.
The --timeout option is not combinable with the --permanent option.
For IPv6 forward ports, please use the rich language.
Note: IP forwarding will be implicitly enabled if toaddr is specified.
The "simple way" is to add the rule to the zone that will handle the packets "from address". That is how FirewallD wants it.
The other "simple way" is to not use firewalld.service at all. Stay in iptables.service
Re: firewalld specify source port or fromaddr
That's what I have done. I keep a "human readable" script with comments and variables (instead of raw IP addresses and device names), which I use to set the iptables, then, after running the script, I use iptables-save.